Why Microsoft Doesn't Need Independent Antivirus Lab Tests

Discussion in 'other anti-virus software' started by sturgess, Oct 30, 2013.

Thread Status:
Not open for further replies.
  1. sturgess

    sturgess Registered Member

    Joined:
    Aug 24, 2011
    Posts:
    158
  2. Disney

    Disney Registered Member

    Joined:
    Oct 15, 2012
    Posts:
    103
    Location:
    USA
    Lol . Priceless
     
  3. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,066
    Location:
    Netherlands
    When I understand big data mining story of MSMRT correctly:

    1. MSMRT has a fingerprint list of prevalent malware and scans only once a month.

    2. When MSE does not has these fingerprints (otherwise it would not fail the AV-tests mentioned in the artikel), it can't feed MSMRT

    3. When MSE does not give those fingerprints to MSMRT, how does MSMRT gets them (when engine is same in all Ms AV products)?

    4. How does Microsoft obtains these fresh samples when they do not participate in those tests (and VT is bought by Google)?

    Am I missing something?
     
    Last edited: Oct 30, 2013
  4. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Is that meant to be sarcastic? I don't see reasoning for it from this article.
     
  5. phalanaxus

    phalanaxus Registered Member

    Joined:
    Jan 19, 2011
    Posts:
    499
    I did a bit of research on Microsoft security practices and as far as I understand

    -Microsoft receives samples from computers running only microsoft security products (or any windows user, not sure about this one).
    -Automated analysis of these samples provide signatures to mse and windows defender to an extent. The products also use heuristic analysis.
    -Some of harder to detect malware are viewed by hand and definitions are added later, depending on how quickly the microsoft team processes the threats.
    -At the end of any month microsoft determines the most widespread and malicious of these and push signatures of them with MSRT (including the hand processed ones)

    And where I got stuck is ".... Yes, that means Microsoft can very clearly identify failures by specific antivirus products, including their own... " I'm OK with detecting other vendors failures but how the heck they can detect their own failures with MSRT?

    Either MS does push handpicked malware to only MSRT (or to first MSRT so MSRT detects it before MSE/defender), or they shouldn't be able to spot their mistakes. And if they act by this principal (I highly doubt it), it is the definition of stupidity. OR maybe they can only remove some of these malware with only MSRT and not by MSE/defender.

    If they count existing operational malware which they didn't find in the first place as fails fine but what does MSRT have to do with it.

    My head was hurting thinking about these, then I remember the source of the article and I stopped thinking about the issue all together:rolleyes:

    Joke aside any insight on subject would be highly appreciated.
     
  6. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,066
    Location:
    Netherlands
    When you reverse calculate the number of people infected using data below, Infected MSE-users would rank 70th largest country by population

    Infection data of Microsoft
    https://www.microsoft.com/security/portal/mmpc/shared/protection.aspx

    AV-Comparative tests
    http://chart.av-comparatives.org/chart1.php

    Market share Opswat
    http://www.opswat.com/about/media/r...-2013#worldwide-antivirus-vendor-market-share

    Number of surfers/internet users
    http://www.internetworldstats.com/stats.htm

    Population per country
    https://www.cia.gov/library/publications/the-world-factbook/rankorder/2119rank.html


    Real world protected is Microsoft own data x Protection level AV-comparatives, infected is the opposite (1-protected)
     

    Attached Files:

    Last edited: Oct 30, 2013
  7. FreddyFreeloader

    FreddyFreeloader Registered Member

    Joined:
    Jul 23, 2013
    Posts:
    527
    Location:
    Tejas
    Microsoft claims they detect widespread malware, as that is what users need protection from.
    But, AV-Test.org shows this:
    Detection of widespread and prevalent malware discovered in the last 4 weeks (the AV-TEST reference set) Industry average: 99
    Samples used: 22,517 in % 97 96 - detection rate.
    So, MS isn't exactly doing that, either.
    Industry average detection of widespread malware is 99%.
    Maybe this is all FUD but facts are facts.
     
  8. phalanaxus

    phalanaxus Registered Member

    Joined:
    Jan 19, 2011
    Posts:
    499
    Don't forget that OPSWAT collects data from mostly the west half of the world since the apps they used to do so are only available in English. I would increase MSEland's population by quite a bit :D
     
  9. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,066
    Location:
    Netherlands
    Stil rank 70 by population with this calculation :D impresses me.
     
    Last edited: Oct 30, 2013
  10. FreddyFreeloader

    FreddyFreeloader Registered Member

    Joined:
    Jul 23, 2013
    Posts:
    527
    Location:
    Tejas
    Given a month to find the malware they missed, they can then put them in MSRT and remove them.
     
  11. phalanaxus

    phalanaxus Registered Member

    Joined:
    Jan 19, 2011
    Posts:
    499
    They should be able to do the removal with MSE/Defender with pushing the same definitions, barring a few oddball malware but I already covered that possibility:
    "OR maybe they can only remove some of these malware with only MSRT and not by MSE/defender."
     
  12. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,066
    Location:
    Netherlands
    What you don't detect in MSE you can't analyse OFFLINE, hence can't remove with MSMRT
     
  13. FreddyFreeloader

    FreddyFreeloader Registered Member

    Joined:
    Jul 23, 2013
    Posts:
    527
    Location:
    Tejas
    Since MS collects data from other installed AVs, is that how they find some of what they missed on the first pass? And, do they collect from VirusTotal and like sites? And, how does MS build their malware date base?
     
    Last edited: Oct 30, 2013
  14. phalanaxus

    phalanaxus Registered Member

    Joined:
    Jan 19, 2011
    Posts:
    499
    Microsoft is a collaborator for Virustotal so they should get info from them. From virustotal fax
    "In exchange for providing an antivirus solution you will receive all files submitted to VirusTotal that are not detected by your product and are detected by at least one other antivirus, along with their corresponding VirusTotal reports."

    Collecting data from other installed AVs however would be data mining. I think the data they collect is what AV is installed and if it's up-to-date or not.
     
  15. FreddyFreeloader

    FreddyFreeloader Registered Member

    Joined:
    Jul 23, 2013
    Posts:
    527
    Location:
    Tejas
    Does this sound like data mining?
    "The MSRT runs briefly during Windows Update and then goes away, until the next month. As part of its job, it reports a collection of entirely non-personal system information back to Microsoft. By aggregating the many millions of reports thus generated, Microsoft can learn a lot. You can check out a limited summary of their results on the MMPC website, but internally they've got much, much more information."
     
  16. phalanaxus

    phalanaxus Registered Member

    Joined:
    Jan 19, 2011
    Posts:
    499
    Nope it doesn't sound like data mining to me.
    Here is what they collect according to Microsoft and you agree to that when MSRT is run.

    I think the data they collect is what AV is installed and if it's up-to-date or not, if it's protection is active and if a piece of malware detected by MSRT is running on the system, the knowledge of the said AV failing at that specific detection.
     
  17. aztony

    aztony Registered Member

    Joined:
    Sep 9, 2012
    Posts:
    547
    Location:
    USA Southwest
    Has anyone ever seen MSRT report that it found anything? I will sometimes run a manual MSRT scan from Revo but it never shows anything. If it did, does it just silently remove the malware and go away, or should it announce what it has found?
     
  18. phalanaxus

    phalanaxus Registered Member

    Joined:
    Jan 19, 2011
    Posts:
    499
    It does display a warning AFAIK.
     
  19. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    And at what point do you not stop to think that if the "industry average" according to AV-T is 99%, why are people getting infected?

    Yeah, I wonder! Maybe because AV-T and their sub-par sample count is a load of nonsense?

    Attaching a value of 100% detection to any AV product should be an instant dismissal of a test.

    VT sends submitted files to all AV vendors AFAIK.
     
    Last edited: Oct 31, 2013
  20. m0use0ver

    m0use0ver Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    81
    Not correct.

    They have a back end service where u can purchase volumes of files from their library but it is monetized and certainly not a free delivery/sharing service.
     
  21. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Where did that description come from? Note that the "MSRT Privacy Statement @ http://www.microsoft.com/security/pc-security/msrt-privacy.aspx explicitly mentions that personal information may be hoovered up:

    It subsequently goes on to mention other MSRT selected information that might be sent "only with your consent". So presumably, the above would be sent automatically and without the user having a chance to review/approve it.
     
  22. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Source?
     
  23. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,818
    Location:
    Innsbruck (Austria)
    plz do not mix AV-C with AV-T. (and plz read why the test reports to understand why % are so high).
     
  24. m0use0ver

    m0use0ver Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    81
    https://www.virustotal.com/en/documentation/private-api/

    So in short they charge companies for access to files uploaded to VT front end.
     
    Last edited: Oct 30, 2013
  25. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Fixed. Sorry, my brain thought AV-T but for some reason I typed AV-C.
     
Loading...
Thread Status:
Not open for further replies.