Will this be fixed ( AV-Test concerns 6/2012

Discussion in 'ESET Smart Security' started by wolliballa, Sep 5, 2012.

Thread Status:
Not open for further replies.
  1. wolliballa

    wolliballa Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    90
    Location:
    Germany
    Here is a quote from AV-Test report (6/2012)
    http://www.av-comparatives.org/comparativesreviews/performance-tests/164-performance-test-june-2012

    Quote (from page 4):
    To support our concerns, we tested if the products are loading all their protection modules before e.g. malware in the start-up folder is executed. Most products failed this test, except AhnLab, Avast, AVG, Bitdefender, Panda, Sophos and Webroot. Only those produds deteded and blocked the malware before its executioon after system start-up (by loading itself at an early stage). In all other cases first the malware was successfully executed and only later detected by the secu,ity suites, when the system was already compromised.
    Unquote.
    Is there a roadmap to fix this ?
     
  2. 4L3X

    4L3X Registered Member

    Joined:
    Sep 13, 2006
    Posts:
    40
    Have never seen a case of this since using Esets products. No antivirus is 100% foolproof and picking and choosing bits of malware is not a very thorough test of any antivirus.

    Guess the more dangerous the file you download the more likely you are to receive a dangerous payload along with it.

    When in doubt, use your antivirus in conjunction with something like malwarebytes for a system scan :)
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Is it a simulation of real world if malware samples are first copied to the disk with real-time protection disabled and executed just then? In such case, one would need to have Advanced heuristics enabled on file access or execution which is not by default (removable media are an exception), however, in real world the malware would have been detected and blocked while being downloaded or saved to the disk.
     
  4. wolliballa

    wolliballa Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    90
    Location:
    Germany
    Looks like the AV-Test-people were thinking about the scenario that an unknown or believed harmless piece of software gets downloaded undetected and is activated after reboot before security software gets loaded and can take care of unwanted activities by behavioural analysis.

    I would not think the concerns could be wiped away so easily and it is obvious, that the earlier you load protection modules the safer it is.

    Have a look into the report, typically AV-Test also explains about the test suite.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You've mentioned AV-Test but the link points to a test conducted by AV-Comparatives. I, for one, would really like to see this test performed by enabling Advanced heuristics on file access or execution; I'd bet the results would be completely different for ESET. In real world you don't browse or copy files with real-time and web protection disabled. These protection modules would prevent recognized malware from getting to your computer and being executed. Even though the startup scanner run upon a computer startup or after an update does not prevent malware from getting executed, it can detect it in memory and suggest you to restart the computer to get rid of it. This is something I'd definitely prefer to having malware running silently in the background for a longer period without being detected and cleaned at all.
     
  6. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    Enabling Advanced heuristics on file execution would not make a difference as by the time the protection modules of ESET are loaded the malware was already executed (which is what the experiment tried to show: whether products load early or later to gain performance). Enabling advanced heuristics on file access or execution would have an impact on performance (which is why it is turned off by default).

    Maybe with Windows 8 ELAM this will be solved.

    P.S.: some vendors do this "by design" to gain performance, so there is "nothing to fix" in that sense.
     
    Last edited: Sep 7, 2012
Thread Status:
Not open for further replies.