Virus-Test didnt know about this.

Discussion in 'other anti-virus software' started by Loqka, Jan 20, 2006.

Thread Status:
Not open for further replies.
  1. Loqka

    Loqka Guest

    edit - copied from http://overclockers.com/articles1260/ - Detox


    I know this is off topic but I thought this might interest some of you. I get asked all the time about viruses from my students and clients so three years ago I started doing an IT security workshop with all my classes. One part of it is testing and trying out various antivirus programs. I personnally ran all the tests myself and then the students so we could make sure the results are consistent. So here's in short a hand out they received.
    antivirus test:

    • Most of the popular antivirus programs found today was used.
    • Every antivirus program were fully updated prior to test and set to their deepest scanning settings.
    • The exact virus count in the file is unknown but there are over "10000".
    • The file contains many types of viruses, trojans, worms etc.
    • Scans were done on a P4 2.8c with Windows XP pro sp2.
    - 9/10/05 just for some month ago.

    Antivirus Viruses found:
    McAfee VirusScan 8 9883
    Panda Platinum Internet Security V8.05 9985
    F-Secure Anti-Virus 5.41 9976
    Kaspersky 4.5 9996
    Kaspersky 5 9967
    Avast.Professional.Edition.v4.6.623 9757
    Bit Defender Professional Plus 8 9953
    Eset Nod32 v2.12.1 9689
    Grisoft AVG Pro.V7.0.143 9507
    Trend Micro PC-cillin 2003 9938
    Trend Micro PC-cillin 2005 10084
    Symantec Norton 2004 10028
    Symantec Norton 2005 10028
    F-Prot 3.16a 9386 (+549 ‘suspicious’)
    Etrust EZantivirus 2005 7.0.6.7 9580

    edited to give credit to source - Detox
     
    Last edited by a moderator: Jan 21, 2006
  2. Loqka

    Loqka Guest

    Results:
    All the AntiVirus used with the BlackSpear settings.

    McAfee VirusScan 8 9,883
    McAfee VirusScan 10¹ 10,026
    Panda Platinum Internet Security V8.05 9,985
    F-Secure Anti-Virus 5.41 9,976 40
    Kaspersky 4.5 9,996
    Kaspersky 5 9,967
    Avast.Professional.Edition.v4.6.623 9,757
    Bit Defender Pro 8 9,953
    Bit Defender Pro 9¹ 9,953
    Eset Nod32 v2.12.1 9,689
    Eset Nod32 v2.5¹ 9,707
    Grisoft AVG Pro.V7.0.143 9,507 Trend Micro PC-cillin 2003 9,938
    Trend Micro PC-cillin 2005 10,084
    Symantec Norton 2004 10,028
    Symantec Norton 2005 10,028
    F-Prot 3.16a 9,386 (+549 'suspicious')
    Etrust EZantivirus 2005 7.0.6.7 9,580
    Clamwin 0.86.2 9,917
    AntiVir PersonalEdition Classic 6¹ 10,086
    Arcavir 2005¹ 9,707
    Virus Chaser 5¹ 9,790
    Norman Virus Control 581¹ 9,765
    eScan Virus Control 2.6.518.8¹ 9,937
    Drweb-432b¹ 9,832
    BullGuard v6¹ 9,966
    Virus Buster Pro 2005¹ 9,188
    MKS vir 2005¹ 9,706
     
  3. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
  4. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Here we go again the old "which AV finds more scenario".How many of these AV's protected against the latest WMF exploit before they updated their signatures or engines.

    Not one,a big fat zero.Considering non signature based security like Defensewall,Bufferzone,Sandboxie and others protected the user.
     
  5. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    And please how should the AV programs have been able to do so? Should the AV companies analyse every known file format and reverse engineer every library/dll that parses those formats in order to find every possible exploit?
    I guess you want a solution before the next decade.

    The "solutions" you mentioned are incredible slow and impossible to use on gateways. And scanning & parsing every possible file format would make the virus scanners similar slow. Are you sure you know what you are asking for?

    And so what? The trojans that were downloaded by the WMF exploits were easily caught by most of the heuristics and variant detections.
     
  6. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    You missed my point-the AV's can't protect against zero day exploits whereas virtualisation (sandbox) security apps can.

    The solutions are here now in these virtulisation security apps.

    Using these virtulisation programs on your own pc doesn't slow it down at all so why bring up gateways.

    Sure,have an AV and Antispy just for on demand scans.Run your browser through one of the security apps I mentioned and you will be a lot safer than relying on signature based security.
     
  7. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Using sandboxing (on-access) doesn't slow your system? You must have a really fast machine indeed. :eek:

    And what about exploits for file formats that are not handled by the browser but by other applications. You want to run EVERY application on your PC in a sandbox all the time? Sure... :cool:

    And it will be no problem to find a way around the sandbox, exploiting the sandbox itself, exploit areas that aren't propperly guarded by the sandbox and so on. There is no 100% solution, ever.
     
  8. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Nothing fancy. P4,3ghz,1gig ddr.No slowdowns with Defensewall or Sandboxie.In fact since I have turned off my realtime AV and Antispy browsing is faster with Sandboxie or Defensewall running.

    Where did I mention running every app,just your browser and Email client,either untrusted or sandboxed.Or you can run your whole system virtualised with VMware or Greenborder.Haven't tried whole system virtulisation so can't really comment.

    As for file formats and other apps, can you give an example .

    I know the author of Defensewall compromised Bufferzones seurity in 5 mins and that can only make that product better.

    And yep,I agree there is no 100% protection but I come pretty close with my ghost images and a clone on a slave.

    Anyway I'm still convinced virtualisation is a safer way to go in pc protection than signature based apps.;)
     
  9. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Full virtualization is ultra slow even on top hardware. Very acceptable to run Win9x but way too slow on WinNT for anything else except testing.
     
  10. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Ok I Stuffed up.The above quote should have been-"the virtualisation security apps that I have tried don't slow my pc down at all".:ouch:
     
    Last edited by a moderator: Jan 21, 2006
  11. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Hmm, what you do about malware that is programmed perfectly "legal" and doesn't use any exploits to activate?

    There was an exploit lately for VMWare that allowed to execute code on the host system.


    Any complex file format which requires parsing is possibly a source for exploits. WMF didn't even use heap or stack overflowing, so how did those sandboxes caught it?


    And that makes you feel better? Knowning it is so "easy" to find weaknesses wouldn't make me feel any safer about the product.

    Again, what you do to protect against "legally" programmed malware?
    Or does the virtualization also includes behaviour blocking?
     
  12. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Ok,you have the "AV Expert" title. And I don't consider myself anymore than a layman.

    Let's try it this way.

    Will any AV's protect against zero day exploits-I say-more than likely no.

    Will virtualisation (sandbox) security apps protect against zero day exploits-I say-more than likely yes.:)

    Sheesh,where are the authors of these sandbox programs when you need them?
     
  13. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    We are talking about antivirus software here not about anti-exploit software. Will sandboxie protect you against viruses. Maybe, but LIKELY (not sure just like you) not. ;)


    tD
     
  14. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Anti-exploit,that's a goodin.OK:blink: :) ;)
     
  15. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well tehnically speaking you cannot define exploited WMF component as legit or dangerous. The coding was done by including that feature.
    It's quiet similar if you try to !accuse" explorer.exe process because it can access internet, both ways, access FTPs both ways. Wait, explorer.exe is just interface. Well it isn't... Sandboxes are as smart as rules implimented in them.
    If nothing is triggered "by the rules" it won't flag anything. That includes exploits, viruses, worms or trojans.
     
  16. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Hi Loqka, please do not copy/paste material diectly without linking to the source from which you got it.

    http://overclockers.com/articles1260/

    Although I don't see the original author mentioning "Blackspear's settings?"
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    There's a contradiction in your statement. First you say that all programs were fully updated, but it's a matter of fact that NOD32 2.12 is an obsolete one. Version 2.50 was released more than a half year ago and brought generic detection which significantly improved detection capabilities.

    Edit:
    Oh, sorry, I overlooked that you cited from an article and read only the initial post. Still, I think that the test collection should be shipped to antivirurs vendors so that they check them out and comment on whether it's legit to detect all the samples.
     
    Last edited: Jan 21, 2006
  18. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    THE SKY IS FALLING!!

    DEAR GOD, THE SKY IS FALLING!!

    :rolleyes:
     
  19. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Maybe a good idea for a new thread?:D

    Topic could be: differences and pro's/con's anti-virus and anti-exploit software;)
     
  20. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    i wonder if a sandbox app can survive the buffer overflow caused by the exploit ;)
     
  21. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    do you mean something like Norman Sandbox or something like SandboxIE?
     
  22. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    They didn't tecnhically "catch it", but the malware gets executed sandboxed and all the executables and registry entries are not written on the "real" system, so they can all be flushed easily. I know because I've tested it myself.
     
  23. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    What buffer overflow?
     
  24. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    thats what exploits often do, cause buffer overflows..

    now if you rely on a sandbox, lets say SSM, or tiny, question is can it survive the buffer overflow to stop the malware using the exploit(s)
     
  25. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    It is sad that apart from the fact that not all AV's where used
    with a version of the same date (some versions 6 months + older !!)
    that there is not mentioned how many False Positives there where :D

    And:

    Have they any idea what they were testing?

    Some of them may count Tracking cookies etc as well ..
    This is comparing completely different things.

    If this was done the correct way, you should be able to see
    for every AV how many real virusses it found and how many Virus-FP's

    And for every AV how many trojans it found and how many trojan-FP's.

    Etc.

    Worst case scenario, if you are going to test data that contains
    2 virusses and 500 tracking cookies:

    And test this data with AV's that differ more then six months.
    The one that finds 10 virusses is 2nd best
    after the (only one that looks for trackingcookies) that finds 200 trackingcookies and no virusses?

    It is rather useless near my opinion...

    :D
     
Loading...
Thread Status:
Not open for further replies.