Why bother using any anti-trojan program

Discussion in 'other security issues & news' started by Wai_Wai, Aug 13, 2005.

Thread Status:
Not open for further replies.
  1. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Wai_Wai, it's obvious that you're new to this forum, and I think everyone here respects that, however what you're missing in a lot of what's being said here is that many/most of the points you raise have been debated thoroughly and endlessly, for days and weeks on end, throughout the rest of the forum. I would really recommend that you look around for a little while.. there's a lot of information that would make sense of what's being said. A lot of people here simply don't want to get into a long winded discussion all over again, so things are being stated simply in an effort to help you understand without getting into another new debate.

    Secondly.. honenestly.. you're confusing a lot of issues and seem to be selectively paying attention to points raised, and in some cases it would almost seem intentional, if I didn't know better (which, I suppose, I really don't). You really should go back and read the links about the virusp.gr tests.. the reality of the statistics you're basing your presumptions on make for a lot of confusion with your arguments. One main indicator of that tests innacuracy is that different scanners using the same scanning engine are showing wildly different results, and the AT scores were obviously done without any real knowledge of what ATs are for or how they work. Much of that information is also quite outdated (things have changed considerably in the past year), or completely backwards.. take this, for example:

    NOD32 has a track record for detecting the most ITW malware, with the least fasle positives. It used to be bad at detecting "zoo" samples and trojans, but that has changed quite a bit in the past year.

    Using this as just one example, I hope you can go back and see more clearly some of the points that have been rasied. Yes, you have made mention of the points in your original post, but with a little effort it should be clear why many disagree with your conslusions.

    I'll wrap this up by saying that many here, including myself, feel that the "classification" of different programs is, in fact, somethig that should be paid attention to. If someone comes to the forum looking for help with adware, and you recommend Ewido over a dedicated AS (because, hey, they're all spyware scanners, right?), that person is likely to continue to have problems. I personally chose Ewido and NOD32 because they will pick up the worst of stuff, and my HIPS (behavior blockers) will take care of the rest, and I don't mind spending the time to clean up if I make a mistake. The problem is that many people simply don't have the patience to hunt around on Google, forums, etc., to find out what this cryptic alert means.. many wouldn't even know where to start. For those people having a few different scanners is probably the best way to go, but these things are generally taken on a case-by-case basis.

    Hopefully that helps make sense of some of the responses in this thread.
     
  2. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    You English is not bad either.

    Yes, it may be a better label.
    However all security software suddenly becomes the same (in label description) (ie all are anti-malware in the eye of customers).

    Hmm... maybe a better way is to add each label if some requirements reach.
    Eg: For AV, if you can get decent number of virus, you can call yourself AV.
    The same holds true for others.

    So for example:
    McAfee is qualified as AV/AT
    KAV is also qualified as AV/AT
    Spybot S&D is qualified as AT/AS

    What do you think?

    Nice to hear your comment, StevieO.
     
  3. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    True.
    Have you read my analogy:

    By installing 1 anti-trojan, it doesn't mean it will automatically close the 1% gap. Try to simplify the situation and illustrate it to you with an understandable analogy.

    There are 6 grades in the school (A-F).
    "Anti-virus" program is like an A-B grade student; while "anti-trojan" is a D-E grade student.

    Surely A/B grade student cannot score full in the test (eg the best student can manage to get 99% only). How can the A-grade student get the remaining 1%?

    "How about asking D/E grade student to help?" A-grade thought.

    "Are you crazy? How come I will know how to solve this question? Too difficult to me." an E-grade student said, "There are surely chance I can do, but how big the chance is, you fool!?"

    Surprisingly what he mentioned something which enlightened A-grade student?

    "You'd better ask other A/B grade students help. They will know how to solve this difficult math" an E-grade student enlightened the A-grade student.

    "Ar! So stupid I am! Why don' I seek help for other A grade students in the first place?" A-grade student grieved, "Now A-grade students have been left school. I have to wait for tomorrow."

    Why does the software miss that 1%? Probably they may wish advanced technique which is hard to arrest, or the trojans are rather new, or they are less common. Simply, you may assume the remaining 1% is "super/special" trojans!!

    Your anti-trojan is not designed to arrest this 1% gap. Instead it is said to specialize in arresting trojans-related threats. Unfortunately they even cannot do better than anti-virus programs.

    You may feel anti-trojan is specialised in arresting trojan guys! You may feel so due to the fact that:
    - it is true in very early stages of security program
    - the name "anti-trojan" mislead you that they should be specialised in trojans. It's in fact a misnomer based on hard facts. Sad to say, hard to accept, but have to admit. :"(
    - now it is the sunset market. Remember why TDS is dead?? To survive, either convert it into either "anti-virus" & "anti-spyware" (Ewido is a good example towards anti-spyware). Anyway these 3 products have some degree of overlapping.


    So what you should do now if you are the A-grade student?
    Here's lead to the second point. Anti-trojan is not the only option. We have other alternatives too. If you believe anti-virus can get 99% hit rate; and only 50% for anti-trojan, you are equal to asking an E-grade student a difficult math question which you, as an A-grade student, don't know how to answer.
     
  4. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Yes I agree the debate can keep around and aorund wtihout stop.
    In fact, I'm still reading while replying.


    Hmm... No offense, but it seems you have misread the above statement.

    I have to say, I have spent considerable time on investigating different anti-virus programs, so these statements (unlike some others which may only express my ideas) are not taken easily.

    Just like you said, "used to be bad at detecting "zoo" samples and trojans". But I have already said it IS good at zoo malware. (among best 3 if you ask me)

    Also you said "has a track record for detecting the most ITW malware", it is hard to say since I don't know what you deifne as "most". But to me, it is not. (fall outside of best 5/6 at least if you ask me)

    As to false positive, it again depends on what situations and how you compare. But I have to admit info about false positive is 1 year old (since the newest reports don't include this category). If you ask you, no better than McAfee.

    You said "changed quite a bit in the past year", however some of my claims are revisied just a few months ago.

    Finally, what are your claims based on? Are your claims reliable too (eg not just your own experience, said by somone etc.)?
     
  5. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    It does make sense.
    But... hmm... how to put? Sometimes I just feel tired to explain the same thing over and over again.


    The problem is that many people simply don't have the patience to hunt around on Google, forums, etc., to find out what this cryptic alert means.. many wouldn't even know where to start. For those people having a few different scanners is probably the best way to go, but these things are generally taken on a case-by-case basis.


    Take this as an example, I have already said:
    - the above holds true for people who are willing to bother, or rather do these steps.
    - so the decision is yours. If you bother, go ahead; otherwsie don't.
    [PS: By the way. the situation you describe is rather inaccurate, wich is explained previously]

    Quite many points have been clarified, but the same argument is raised.
    Probably I have explained too much in depth, so people have ignored my comments. However if I don't explain in depth, people may keep challenging the same thing or ask the same question over and over again. What a dilemma! :'(

    I just don't know what I should do. :doubt:
    It seems my ideas cannot be passed on to them.
    If you know, better advice me. I am ready to listen. :-*
     
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    What I was saying is that you had your facts backwards. NOD32's track record is that it's the best for ITW detection (with least false positives) but not zoo (however that has changed). My source is the forums here and Virus Bulliten, which is are professional independant testers, rather than hobbiests like virus.gr (who hasn't provided throrough tests and has not been open to suggestions). In order to get a VB award you have to catch ALL ITW samples with NO false positives, and NOD32 has the most.. never having missed an ITW sample in all the years tested. You will also find very few false positives in the forum, and hear about very few from users (I've experienced 1 in the past two years, both NOD32 and the software mis-identified were both beta). But that was just one example that I chose because I knew about it specifically off the top of my head, it was not my intention to bring up how good NOD32 is or isn't.

    Perhaps you would like to provide additonal sources for your information? (prefferably reliable sources that can be easily verified, professional sources are best.) Have you had real-world experiences with all mentioned software, or are you just going based on what you've read at places like VirusP.gr? (again, already having been shown to be completely flawed, and not a good foundation for forming presumptions)

    Yes, but then you turn around and put emphasis on it not being a big deal, and that anyone can use them, which pretty much negates the initial disclaimer for most readers. You state "sure, go ahead if you want to" but then try to give a dozen reasons why ATs are essentially not worth it, including implying it in the thread subject.

    Inaccurate according to whom? That may be your opinion, but many here would differ.. many that may have invested even more time and research on the same subject. My opinion as to behavior blocking being innappropriate is based on trial and error with many users that were not able to use them effecitvly, and got exceedingly frustrated. While doing work for people fixing their computers, you come face to face with that lack of patience every time, sometimes justified, sometimes not. Unless they seek it out themselves, most users simply don't have patience for any computer issue.. they just want to get in, check their email, surf the web, and leave, without any hassles. There are also many professionals in other areas that literally do not have the time to sit down and learn these things, and interrupting their work-flow is unnaceptable.

    If someone is responding to a particular comment, offering a reason that your reasoning may be lacking, it's not really appropriate to reffer back to the initial comment that's in question. Like I say, most of us here have also invested quite a bit of time and effort into researching these things as well, and also don't make these claims lightly. It doesn't matter who you are around here, there are always people that know more and have more experience on any given topic. The process of learning is never ending with computers, including security.

    Indeed. Unless you have anything new to add, I think I've said my piece.. we kind of seem to be going in circles here.
     
    Last edited: Aug 14, 2005
  7. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    thanks for your detailed reply.
    Here's my reply.

    Are the following what you want:
    http://www.av-test.org/ (recommended!)
    http://agn-www.informatik.uni-hamburg.de/vtc/ (recommended!)
    http://www.av-comparatives.org/ (recommended!)
    http://www.virus.gr/english/fullxml/default.asp
    http://www.westcoastlabs.org/default.asp
    http://www.virusbtn.com/
    http://www.icsalabs.com/
    ??

    EDIT: There're just some of them, but still spend you many days to read and investigate.

    After all, points taken.
    Thanks for your comments. :)
    And I'm going to research more in these days.
     
    Last edited: Aug 15, 2005
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.