which is the best aginst Modified and masked trojans ?

Discussion in 'other anti-virus software' started by ok man, Oct 20, 2005.

Thread Status:
Not open for further replies.
  1. ok man

    ok man Guest

    which is the best aginst Modified and masked trojans ?
    ewido , kav ,panda , nod32 ?
    also which is the best unpacking AV?
     
  2. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Anti-Trojans are always better for Trojan detection ;)

    To my knowledge, KAV has the best unpack engine. And NOD32 has excellent heuristics which allow it to catch quite a few variants of Trojans quite well.....BitDefender also does well for Trojan variant detection. :)
     
  3. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Always?I don't think so!
     
  4. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    I have never seen at here how good the new DrWeb 4.33 is in heuristics, ablosutely in the same category as NOD with AH but it is capable to do the scan also in real time protection against the whole hard disk as well!

    Best regards,
    Firefighter!
     
  5. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Yes, in the new version of Dr Web, background scanning has been added. So SpIDer Guard will now check files during system idle.

    I do not know about actual improved trojan detection but there are more unpackers in version 4.33
     
  6. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    KAV is the best for anti-trojan detection.
    The lates test shows than KAV detect 99,78% of 36.234 samples (Look http://www.av-comparatives.org).

    KAV detect viruses in over 900 archive and compressed file formats.

    NOD32 has excellent AH, but smaller siganture database than KAV. NOD32 detect (a lot) trojans with AH. Great job ESET.
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The best information on this would be the scan logs at the Scheinsicherheit Security Software forum though they are over a year old.
     
  8. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    If you use the results over at Scheinsicherheit's, together with more recent data over at MyCity then;

    1. The best unpackers appear to be KAV, KAV-engined AV's such as F-Secure, and McAfee, with BitDefender and Dr Web not far behind.

    2. Whereas those with relatively little unpacking ability include; AVG, eTrust EZ AntiVirus, Norman and Sophos.
     
  9. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    OK OK.....KAV may put some Anti-Trojans to shame every now and then ;)
     
  10. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Just for fun (yeah, right...) I went through the Scheinsicherheit logs (if you're reading this ntl, could you pick an easier forum name to spell? ;)) to collate their results.

    For those not familiar with their tests, please note the following:
    • These date from June/July 2004 so most scanners will have improved (but then again, there are more techniques for malware to use to hide from scanners);
    • The tests are of file scanners only - most AV/AT products include a memory scanner which will have higher detection rates. Memory scanners are harder to test though, since it does require actually running the malware (and then cleaning the system up fully after each test). BOClean is primarily a memory scanner so has been covered in a separate review;
    • These can be considered "worst case" scenarios (or "real life" if you download files from questionable sources) - safe hex will greatly reduce the chance of users having to push their AV/AT scanners this far;
    • These show the numbers of malware not detected so lower = better. :)
    Those products marketed as anti-trojans are marked in blue:

    McAfee: 35 missed out of 556
    AVK: 97 missed out of 556
    KAV: 98 missed out of 556
    F-Secure: 100 missed out of 556
    DrWeb: 181 missed out of 556
    NOD32 (with AH): 199 missed out of 556
    Ewido: 230 missed out of 556
    TDS-3 (discontinued): 235 missed out of 556
    BitDefender: 263 missed out of 556
    TrojanHunter: 296 missed out of 556
    AntiVir: 325 missed out of 556
    MKS-Vir: 325 missed out of 556
    Norton: 363 missed out of 556
    AVG: 378 missed out of 556
    Panda: 381 missed out of 556
    Avast!: 415 missed out of 556
    eTrust: 418 missed out of 556
    Sophos: 430 missed out of 556
    CommandAV: 441 missed out of 556
    Trend: 452 missed out of 556
    F-Prot: 456 missed out of 556
    ClamWin AV: 463 missed out of 556
    TheCleaner: 465 missed out of 556
    Pest Patrol: 468 missed out of 556

    Given the age of these tests, it would be unwise to make any statements about the current effectiveness of these products but the following points are worth noting:
    • The results correspond closely with AV-Comparatives (and the MyCity tests) with KAV + derivatives (F-Secure, AVK) doing well. McAfee's top performance is also consistent with other tests.
    • No definite conclusions can be drawn about anti-trojan products generally, since only 3 are listed above. However DCS' decision to withdraw TDS-3 does seem justified given the performance of the top-notch AVs.
    • Whether or not to use an AT product to supplement an AV should therefore depend more on what features it offers over and above signature scanning (e.g. process/registry protection, activity monitoring, etc). AVs like Kaspersky are also moving in this direction though.
    • There are too few tests like this - if Ntl is reading this rather than playing GuildWars, perhaps he would consider an update? ;)
     
  11. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    A number of AV programs, for example Command/F-Prot and Dr Web have all improved their unpacking abilities since their test over at Scheinsicherheit's.
     
  12. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    Thanks for taking the time to post that Paranoid2000. Good to know even if they are a bit out of date to compare how they are improving...or not. :)
     
  13. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    You're welcome, though the main kudos should go to Ntl for running those tests in the first place. I did find it rather surprising how many AVs came ahead of the AT's though - and how poorly one AT did... (doubtless a real cow of a product ;)).
     
  14. mirimim

    mirimim Registered Member

    Joined:
    Jan 16, 2005
    Posts:
    6
    Well I wouldn't know. But I would like the opinion of you learned geeks with regard to f-Secure's BlackLight beta. Seems great to me. mirimim/:ninja:
     
  15. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    the reason for this: only filescanners were used.
    there are very few packers that are good against real time memory scanning
    i suppose that the result would've looked diffrent if the real time modules of some AT's were used

    i personally in "my tests" have found DrWeb's and NOD32's heuristic engines very good against modified malware/new variants
     
  16. Alantir

    Alantir Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    12
    Some time ago Nautilus did some interesting tests about code permutation as well. The modified samples were scanned with BOClean, Dr. Web, Ewido, Kaspersky, NOD32 and TDS-3.
     
  17. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    that test is really old, both nod and drweb have released new versions ever since
     
Loading...
Thread Status:
Not open for further replies.