AntiVir, Avast, AVG, NOD32 and Kaspersky test update

[Sentinel]

Quote:

Originally Posted by wayne

Was each test done on a freshly installed OS per AV application?

Since I have had a major problem in regards to using Tm PC-cillin IS 2005 and SFX archives, I was searching for a replacement, I settled on NOD since everything I through at it was caught including a head'in virus in a 3-L archive including URL droppers.

Granted, default settings are not advisable thus I made adjustments prier to my testing (Higher Efficiency settings)

-wayne

Yes, I made an image of a slipstreamed XP SP2 installation and used it as a basis for each test.

What I did was simple; I tried to replicate normal activity from an unknowing victim. Opened infected directories, moved the samples across drives, renamed them, packed and unpacked them and then executed them. On demand scanning was used as a last resort (but most people rely on the resident scanner anyway). I had no Internet during testing (for obvious reasons), so email wasn't tested.

You mean an archived dropper that carried a virus? I packed 2 Trojans (UPX) for testing, and they were caught. One dropper did managed to install a Trojan though and modify systems files. But that's the point of a good dropper i.e. avoiding detection. If you can disable system security before the payload is dropped, it's even better.

Anyway, NOD32 is a very good product. Hopefully the signatures will be updated accordingly.

[ABoard]

Quote:

Originally Posted by Sentinel

And that's helpful? I really feel like flaming you.
Any vendor can contact me for that information. Have you read any AV reviews lately? How many will print what they did for testing unless it is requested? NOD32 failed for a good reason: it didn't detect available malware even 3 weeks after I contacted Eset. I don't think that's normal or acceptable from any reputable vendor. It's easy to make fun of others, but you seem to be unable to get the point out of a very simple review.
<snip>
Otherwise, why don't you keep your condescending remarks to yourself.
<snip>

Send any "flames" not relevant to the discussion via PM if you must (otherwise, I'm open for anything you have by way of rebuttal). My post, however, was highly relevant. It points out in simplistic and (to my way of thinking) humorous terms the worthlessness of a critique / review / test with no support (you left out much more than just what samples you used, but that is certainly part of it). And, my post was not necessarily targeting you; equally so, it was targeting the readers / posters here who gave you gushing thanks and thumbs up. Anyone can post any review at anytime here in this forum; it can be bad, good, or excellent. Whether it is excellent will depend on a number of factors, including knowledge of the subject, writing skills, and on a forum like this, the amount of time one is willing to spend on the project for the target audience. Assuming you spent much time conducting the test properly, you neglected to present your findings in as thoughtful and as detailed a manner, and as such it was not worth the effort it took to post. There are hundreds of other more useful reviews / comparisons elsewhere on the web for these very important types of applications. Why not simply direct the members here to those published findings if you cannot do a better job, or do not have the time to do a better job, than others already have (in so many words, why waste your time reinventing the wheel if your "wheel" is square instead of round)? Certainly, if you know what a "scientific" paper looks like (or understand the methodology from which such a paper would be derived), you didn't prove it here. And, let me say that had this type of thing actually been posted on a more hardcore forum or newsgroup, I wouldn't have been the only one to point this out.

I will accept on your word that you expended a lot of effort in conducting the tests. But, that isn't the measurement of success. What readers learn (and can trust) from your posted results is the proper measure. Hey, I busted my b*tt crashing / racing those cars, but do you really know anything useful or credible from the information I posted.


-------
By the way, why did you focus so much on Eset NOD32 in your response to me? It should be clear that I was targeting the entire presentation as opposed to concerning myself with whether you passed or failed a specific piece of software.

[wayne_abx]

Perhaps this may validate Sentinel testing.

**Permission granted from Firefighter, contributor in Wilders Security Forum**

-wayne

[wayne_abx]

This is a very constructive thread; I would like to see it maintained that way. I would like to see more testing done by Sentinel. I would also like to see Sentinel grow in the independent testing process. The more help we give him the better off we all will be!

I say Kudos for stepping forward, his testing/knowledge is our gain!! lets be helpfull.

-wayne

[ABoard]

Quote:

Originally Posted by wayne

Perhaps this may validate Sentinel testing.

**Permission granted from Firefighter, contributor in Wilders Security Forum**

No, not at all. But it certainly lends credibility to FireFighter:

http://www.wilderssecurity.com/showthread.php?t=58597

There are many well prepared tests and presentations on that site and others, as I suggested in my last post.

[wayne_abx]

Quote:

Originally Posted by ABoard

No, not at all. But it certainly lends credibility to FireFighter:

http://www.wilderssecurity.com/showthread.php?t=58597

There are many well prepared tests and presentations on that site and others, as I suggested in my last post.

Why attack? Makes no since! Instead making fun of the posts you could have politely requested what you would like to see in future test, we should be helping not making fun of a subject as serous as this IMO. The examples I posted above was to show that Sentinel tests are not that far off the mark!

As I also stated, I have permission from FF to show the results here at [AB]

-wayne

[wallijonn]

http://www.av-comparatives.org/seite...se/2004_11.zip would seeming show that not every anti-virus program will defend against all threats. One program will do better than another program in a certain area and that second program will do better in other areas than the first program.

Anything which helps to shed light on this plight is welcome and as such I feel that Sentinel is doing a service to the community. This dialogue alone may encourage others to join that security forum. They will probably come back and make suggestions to the other members. I don't see this as a bad thing.

http://www.wilderssecurity.com/showthread.php?t=58597 was a nice read. It helped me find another dozen programs to audition. As someone who has tested Prevx (it was mentioned inside said thread) I have to disagree to its usefulness - I find it to be a r.p.i.t.a. I can at least use tds-3 once and let it run for hours as it scans and cleans trojans. But like Kerio, Prevx tends to be too disruptive, necessitating many mouse clicks to enable a task to be completed, much the same was as 'Giant Anti Spy' does. Many people prefer a firewall that isn't too obstructive, so they may prefer Windows SP2's built in firewall, instead, etc.

In much the same light one should be secure in the knowledge that their anti-virus / anti-worm / anti-trojan / anti-spyware program is doing as best a job as possible. I am open to any 'thing' which helps to increase my awareness of any program's effeciency. I now know about KAV's ADS file tags whereas I was completely ignorant before. I likened it to Norton for a reason - it is a product which I will not use and go out of my way to discourage others from using. I know many people who use Norton products without problems; I am not one of them, though. I am already rethinking my stance on KAV and may audition it on my test system before I commit my "real" system to using it.

As it relates to "free" anti-virus programs, for the most part these programs may not be 100% functional (for example one free program may not scan email attachments). One can say that one gets what one pays for; I say that sometimes you get something which you did pay for - unexpected probelms when unistall, imaging, updating, compatibility, etc. If I have no faith in Kaspersky's free program why should I be encouraged to buy a full version? If I do not hear of any problems with any anti-virus programs, am I limited to only those carried at WalMArt, K-Mart, Target, BestBuy, Circuit City, CompUSA and Fry Electronics? Am I an informed consumer, then?

[ABoard]

Quote:

Originally Posted by wayne

Why attack? Makes no since! Instead making fun of the posts you could have politely requested what you would like to see in future test, we should be helping not making fun of a subject as serous as this IMO. The examples I posted above was to show that Sentinel tests are not that far off the mark!

As I also stated, I have permission from FF to show the results here at [AB]

Wayne,

Seriously, it wasn't an attack and it does make sense (maybe not since, but sense ... sorry, couldn't resist). My "attack" "making fun" of Sentinel's presentation was instead, in actuality, a very concise illustration of the problems with his post. It was meant to be taken in jest (but not lacking in bite), and to be interpreted at a deeper level as constructive criticism without having to be verbose or technical. Regard for the seriousness of the topic (computer security, perhaps) is precisely why I even commented at all. And, regard for the level of thoroughness that others have applied to the same topic was also a compelling factor. Anyone can say anything; few can, or are willing, to back it up.

Secondly, whether your examples show that Sentinel "was not far off the mark" is irrelevant to my point (by the way, how can you even tell whether it was off the mark or not? ... a generalized, pass / fail test without criteria cannot be compared to the specificity of the test you referenced). As a matter of fact, you actually bolstered my argument by showing that others have done similar work, but, unlike Sentinel, have supported their claims with an abundance of precise information and data.

Thirdly, I'm happy for you, I guess, that you had permission to post FireFighter's data. I read that you had permission the first time you posted it, and the need to repeat it with emphasis escapes me.

[ABoard]

Quote:

Originally Posted by wallijonn

Anything which helps to shed light on this plight is welcome and as such I feel that Sentinel is doing a service to the community. This dialogue alone may encourage others to join that security forum. They will probably come back and make suggestions to the other members. I don't see this as a bad thing.

In general, and from a dispassionate point of view, what you say is correct. And I often follow your example of patting heads, even though I recognize faults. However, when someone takes the leap into actually playing with viruses (yes, viruses, virii is not a word) and trojans, and presenting findings of such activity, one cannot expect the patronizing pap of high-fives and "atta-boys" in light of poor work. If one is playing with the real deal amongst the experts, one takes on a certain level of responsibility beyond the norm (whether this is recognized or not), and therefore, one must expect to be duly criticized for shoddy methodology, analysis and / or presentation. Save the BS for the five-year olds, so to speak. Just my opinion.


- OT -

Quote:

Originally Posted by wallijonn

But like Kerio, Prevx tends to be too disruptive, necessitating many mouse clicks to enable a task to be completed, much the same was as 'Giant Anti Spy' does. Many people prefer a firewall that isn't too obstructive, so they may prefer Windows SP2's built in firewall, instead, etc.

Simply adding the following as the LAST rule in the Kerio ruleset will effectively "turn off" any need for user interaction:

Protocol: Any
Direction: Both
Local Endpoint: Any
Application: Any
IP: Any Address
Remote Port: Any
Rule Valid: Always
Action: Deny

[FastGame]

AVAST works great

[Sentinel]

Quote:

Originally Posted by ABoard

Send any "flames" not relevant to the discussion via PM if you must (otherwise, I'm open for anything you have by way of rebuttal). My post, however, was highly relevant. It points out in simplistic and (to my way of thinking) humorous terms the worthlessness of a critique / review / test with no support (you left out much more than just what samples you used, but that is certainly part of it). And, my post was not necessarily targeting Certainly, if you know what a "scientific" paper looks like (or understand the methodology from which such a paper would be derived), you didn't prove it here. And, let me say that had this type of thing actually been posted on a more hardcore forum or newsgroup, I wouldn't have been the only one to point this out....snip...I will accept on your word that you expended a lot of effort in conducting the tests. But, that isn't the measurement of success. What readers learn (and can trust) from your posted results is the proper measure. Hey, I busted my b*tt crashing / racing those cars, but do you really know anything useful or credible from the information I posted. ...snip

Did you check the original post this was meant to update? Links were provided. The first post was rather subjective, with a summary of various detections tests that I read over the last few years. This was a different testing approach altogether, trying to see if the detection rate would be constant under different "real world" conditions. I didn't see the point of added numbers for a dozen or so samples. If you thought I should have, why not suggest that instead of being a smart alec? I'm always open to criticism, not useless condescending remarks, either directed at me or others.

Again, this WAS NOT A DETECTION RATE TEST. Those are available already. But you apparently don't want to hear that, since you keep referring to other more "professional" sites that have nothing to do with what I attempted.

Every forum has people doing things for free just to help others, usually for very little in return. Games have modders, hardware has bios/driver modders, etc... Many of those kind people eventually get tired of all the bickering that their contributions cause and leave. Every time this happens, the community loses as a whole. Even vendors get tired of useless comments, and while they don't quit, they start to ignore forums and emails from clients. You see, I don't always agree with these people's offerings, but I can show respect for their time by not posting useless remarks about their work. I always have a choice not to use what they offered if I don't like it.

You might think that my test is stupid and worthless, but I don't. Like I said, I'll consider doing a detection rate test if I get help. I don't have time to gather and sort 5 000-20 000 samples at the moments. But again, this wasn't one. The test I just did will never use so many samples, simply because it is not feasible. It's not because I feel like cutting corners, like you seem to assume, or because I have no idea what I'm doing.

Again, I could have provided numbers. You just didn't ask nicely, did you? People like you never do. BTW, if you have any scientific background, you must know how easy it can be to make numbers say what you want. If you're just impressed by numbers because you think they're more credible, you must get fooled a lot. What you consider a humorous rebuttal is simply rude and offensive. Regards

[Sierra_abx]

Enough of this please. I think it's been established who disagrees with who here. For now, just agree that you disagree with one another. But a warning. If the personal attacks continue, this thread will be closed. Thanks in advance.

[wayne_abx]

FastGame,

Please edit your post.

ABXZone.com Forum Rules

Quote:

No obscene behavior, flaming, insulting another. If you have a problem with another member, deal with it privately.

-wayne

[Sentinel]

Quote:

Originally Posted by wayne

Perhaps this may validate Sentinel testing.

**Permission granted from Firefighter, contributor in Wilders Security Forum**

-wayne

It doesn't, since I really didn't attempt a detection rate test. But it's a very good find. I checked some posts there yesterday and missed that one. Thanks

[pointreyes]

The snide remarks are getting rather tiresome to read through. Instead of using this form of language to commuciate, how about we try to use some professional talk about this subject? Oh and BTW anymore unpleasant commentary that is used to insult any person on this thread will lead to a 'cooling' down period.