dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
11603

Buddel
If it ain't broke, don't fix it.
Premium Member
join:2004-03-06
EU

Buddel to Kobra007

Premium Member

to Kobra007

Re: Kobra's Antivirus SHOWDOWN results.

I agree with FF again. AVK is very popular over here. However, I dare say that both Norton and McAfee are even more popular with Germans. Why? Well, simply because they have enough €€ to dominate the AV markets in all four corners of the world.

Back to the subject: Kobra, thanks a lot for your hard work.:)

gate1975mlm
Premium Member
join:2001-09-30
Philadelphia, PA

gate1975mlm

Premium Member

Will eXtendia AntiVirus AVK work with Outlook Express?

Buddel
If it ain't broke, don't fix it.
Premium Member
join:2004-03-06
EU

Buddel

Premium Member

said by gate1975mlm:
Will eXtendia AntiVirus AVK work with Outlook Express?

I used an older version of AVK by GData until a couple of months ago. It did work with OE. Dunno anything about the (new) Xtendia version though.

gate1975mlm
Premium Member
join:2001-09-30
Philadelphia, PA

gate1975mlm

Premium Member

Here is a very nice review about it »www.wilderssecurity.com/ ··· ?t=33597
hescominsoon
join:2003-02-18
Brunswick, MD

1 edit

hescominsoon to Kobra007

Member

to Kobra007
*deletd*

utahusker
join:2000-09-05
Saint George, UT

utahusker to Kobra007

Member

to Kobra007
I purchased the $10 version. What engine does it use? I am thinking RAV, at least I hope so since my Astaro firewall includes KAV protection.
hescominsoon
join:2003-02-18
Brunswick, MD

1 edit

hescominsoon

Member

hey utahusker,

I run astaro as well..i have over 30 attachments blocked in the pop3 proxy..my virus pass-through has been zero for 3 months..here is the list(may not be feasible for everyone however)
1
ace

2
ade

3
adp

4
bas

5
bat

6
chm

7
cmd

8
com

9
cpl

10
crt

11
exe

12
hlp

13
hta

14
inf

15
ins

16
js

17
jsp

18
jse

19
msc

20
msi

21
pif

22
reg

23
scr

24
vb

25
vbe

26
vbs

27
zip

28
mdb

29
rar

30
bz2

31
gz

32
lha

StraitShoot
Who Loves Ya Baby? - Theo Kojak
Premium Member
join:2003-02-08
Clinton, MA

StraitShoot to Kobra007

Premium Member

to Kobra007
How come you didn't rry Escan..?

»www.virusbtn.com/vb100/a ··· orld.xml
Kobra007
join:2004-06-15
Longwood, FL

Kobra007

Member

I tried eScan, and it caused me to reformat. So I tried it again, and had to reformat a second time. That product is an accident waiting to happen! Anyway, I got some updates:

Updated testing results, several additional products tested. Special note to the changes in first place. Notes on the changes:

Discovered and tested MKS-Vir2004, from Poland. Surprisingly, this one with caught every sample perfectly on Medium Heuristics. Specifically, nearly 50 samples were picked up Heuristically giving it a perfect score of 321/321. However, when I increased Heuristics to "Super Deep", it picked up an addition 10 more suspicious files. Upon further investigation, it was found that it was picking up signatures of hacktool utilities left over in some of the archives and flagging those files. Indeed, this is impressive. MKS-Vir2004 exhibits the most advanced detection algorithms i've ever seen, clearly it only had signatures for 271 of my samples, but through code emulation, it was able to pick up all 321 samples!! It clearly labeled the Heuristically found ones as things as "Likely Win32 Trojan" or "Highly Suspicious Acting File". In addition, its scanning speed was incredibly quick, and its memory footprint was quite small. Impressive! Furthermore, this is a full featured and fairly polished product that appears to update at least once per day, and tech support responded to me within 5-15 minutes on my emails. Unfortunately, it appears to not be available in the US for purchase at this time.

Tested other additional products, Antidote, PerAV, Vir.IT, FireAV, and VirusBuster. Results are below.

1a) MKS_Vir 2004 - 321/321 0 Missed - 100%
1b) eXtendia AVK - 321/321 0 Missed - 100%
2a) Kaspersky 5.0 - 320/321 1 Missed - 99.70% (with Extended Database ON)
2b) McAfee VirusScan 8.0 - 319/321 + 2 (2 found as joke programs - heuristically) - 99%
3) F-Secure - 319/321 2 Missed - 99.37%
4) GData AVK - 317/321 4 Missed - 98.75%
5) RAV + Norton (2 way tie) - 315/321 6 Missed - 98.13%
6) Dr.Web - 310/321 11 Missed - 96.57%
7) CommandAV + F-Prot + BitDefender (3 Way Tie) - 309/321 12 Missed - 96.26%
8) ETrust - 301/321 20 Missed - 93.76%
9) Trend - 300/321 21 Missed - 93.45%
10) Avast! Pro - 299/321 22 Missed - 93.14%
11) Panda - 298/321 23 Missed - 92.83%
12) Virus Buster - 290/321 31 Missed - 90.34%
13) KingSoft - 288/321 33 Missed - 89.71%
14) NOD32 - 285/321 36 Missed (results identical with or without advanced heuristics) - 88.78%
15) AVG Pro - 275/321 46 Missed - 85.66%
16) AntiVIR - 268/321 53 Missed - 83.48%
17) Antidote - 252/321 69 Missed - 78.50%
18) ClamWIN - 247/321 74 Missed - 76.94%
19) UNA - 222/321 99 Missed - 69.15%
20) Norman - 215/321 106 Missed - 66.97%
21) Solo - 182/321 139 Missed - 56.69%
22) Fire AV - 179/321 142 Missed - 55.76%
23) V3 Pro - 109/321 212 Missed - 33.95%
24) Per_AV - 75/321 - 246 Missed - 23.36%
25) Proland - 73/321 248 Missed - 22.74%
26) Sophos - 50/321 271 Missed - 15.57%
27) Hauri - 49/321 272 Missed - 15.26%
28) CAT Quickheal - 21/321 300 Missed - 6%
29) Vir_iT - 10/321 311 Missed - 3%
30) Ikarus - Crashed on first virus. - 0%

Keizer
I'M Your Huckleberry
MVM
join:2003-01-20

Keizer

MVM

said by Kobra007:
I tried eScan, and it caused me to reformat. So I tried it again, and had to reformat a second time. That product is an accident waiting to happen!
Wow, I would think that for someone who runs tests like you do, that you would be running imaging software, instead of formatting.

Keizer
Kobra007
join:2004-06-15
Longwood, FL

Kobra007

Member

Ok, re-imaged is what I meant actually. =) You know what I mean.. Either way, eSCAN caused me more headaches than it was worth, so I excluded out. Keep in mind, I don't ALWAYS test this crap, this is more a on-time thing. I probably won't do it again till I get around 10k samples.

Now if we can get some backing behind that MKS-Vir 2004, the most impressive detections i've seen in a AV yet. =)
alien8
join:2004-03-03
UK

alien8 to Kobra007

Member

to Kobra007
Hi,

What options did you use on ClamWin?

If your virus samples were contained in .eml files (for example) it may be worth forcing on the --mbox option.

It might also be worth, downloading the very latest command line build of ClamAV from here:

»clamav.or.id/

Cheers,

Steve

StraitShoot
Who Loves Ya Baby? - Theo Kojak
Premium Member
join:2003-02-08
Clinton, MA

StraitShoot to Kobra007

Premium Member

to Kobra007
I trialed MKS Vir 2004... Pretty strong stuff.. How's ...
1. Tech support?
2. ICSA and other certification?
3. Nothing on Virus Bulletin
4. Not a very well AV...

FF again
join:2003-06-13
Finland

1 edit

FF again

Member

> 3. Nothing on Virus Bulletin

In my understanding after this above, Mks Vir 2004 is very SERIOUS product, no face lift efforts.

Bu seriously, look at my link.

»www.mks.com.pl/english.html

After this what happened, how is the future?

Best regards,
FF again!
Gavin_TH
join:2003-04-03
Australia

4 recommendations

Gavin_TH to Kobra007

Member

to Kobra007
Since none are verified, that makes a much worse test. If you would like me to personally verify some of these samples you can IM me and I'll do my best to do so quickly for you. If you like I will also suggest samples which should not be included for various reasons. For example, why include JOKE programs. They are NOT VIRUSES - how many times do we have to say this when its related to a test and results which many new users might take without knowing the truth about the results.

Obviously making a much bigger test set is the other important thing to address, its not very useful unless you get a bigger test set and verify them ALL carefully.

Khaine
join:2003-03-03
Australia

Khaine to Kobra007

Member

to Kobra007
Thats a very generous offer Gavin, if I were you Kobra I would accept

A couple of questions for you :

How do you rate ClamAV ?

Have you considered testing rebased samples ?

And testing samples that have been packed multiple times ?

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

3 edits

Name Game to Martinus

Premium Member

to Martinus

Re: Kobra's Antivirus SHOWDOWN results.-----------------------

said by Martinus:
said by squatpuke:
...I guess I don't understand how it can use two engines of two different products for less than those actual products themselves...
Buying a licensing scheme of an engine is much cheaper than having a R&D team developing and maintaining it. So, actually the engine final cost is much less for eXtendia than for KAV. And if the licensing scheme is per units sold basis - as most are -, the more they sell, the more they pay and everybody's happy.

Yup..and here is another new offering to throw in the pot. CyberScrub's other products are well respected.

CyberScrub AntiVirus

CyberScrub AntiVirus provides state of the art security protection for five years- at one low price. Our award winning technology ensures protection against viruses, worms and trojans backed by top customer support and value.

»www.cyberscrub.com/antiv ··· ndex.php

"Is CyberScrub AntiVirus able to offer me the same level of protection as the products in the yellow or red boxes?

CyberScrub AntiVirus is powered by Kaspersky Lab. This means we utilize what is considered to be among the worlds most effective and secure technology."

»forum.gladiator-antiviru ··· ic=15767

JimIT
join:2003-06-25
Fort Worth, TX

2 recommendations

JimIT to Gavin_TH

Member

to Gavin_TH

Re: Kobra's Antivirus SHOWDOWN results.

said by Gavin_TH:
Since none are verified, that makes a much worse test. If you would like me to personally verify some of these samples you can IM me and I'll do my best to do so quickly for you. If you like I will also suggest samples which should not be included for various reasons. For example, why include JOKE programs. They are NOT VIRUSES - how many times do we have to say this when its related to a test and results which many new users might take without knowing the truth about the results.

Shh! You'll disturb the drama!

Randy Bell
Premium Member
join:2002-02-24
Santa Clara, CA

Randy Bell to Gavin_TH

Premium Member

to Gavin_TH
said by Gavin_TH:
.. why include JOKE programs. They are NOT VIRUSES ..
Also, ADWARE or SPYWARE programs -- many AVs don't detect these, forex NAV only started detecting these expanded threats in the 2004 version. {Joke programs are also part of Symantec expanded threats}.

FF again
join:2003-06-13
Finland

FF again to Kobra007

Member

to Kobra007
Just scanned Mks Vir 2004 against my 1378 infected archived samples, 1155 detections with standard heuristics. Against 851 VIRUSES, 87.1 %, against 394 trojan like malware, 86.0 % and against 133 Riskware, 56.4 %, total protection 83.8 % compared to BitDefender 7.2 Free, 86.1 % and eXtendia (KAV + RAV), 92.7 %. Still just after eXtendia (KAV + RAV), (KAV) and (RAV) and BDF 7.2 Free. The second best against riskware.

I thought that I scanned with advanced heuristics, but when I had AH on, the result was 6 detections more, 1155 compared 1161, unfortunately not checked where those 6 detections were in my categories.

Best regards,
FF again!

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g to Kobra007

Premium Member

to Kobra007
said by Kobra007:
I tried eScan, and it caused me to reformat. So I tried it again, and had to reformat a second time. That product is an accident waiting to happen!
That is strange, as it comes well recommended by one of the forum's virus experts.

»Can't get rid of Backdoor.Ralpha ...pse help
wayne_b
join:2003-12-06
Vancouver, WA

2 recommendations

wayne_b to Kobra007

Member

to Kobra007
Hi Kobra007,

In your Heuristics testing, did you happen to log False-Positive detection?

IMO, since Kobra007 has taken the time here, we should all help him grow. I say Kudos for coming out amongst us critics The more independent AV testing we have the better decision we can make, I my-self am tired of the hype, I want truth and facts based on sound testing, the least we can do is help Kobra007 not slam him

-wayne

-ntl-
@213.69.x.x

-ntl- to Kobra007

Anon

to Kobra007
I would like to see the names of the samples which NOD32 missed.

Do the missed samples include any ITW viruses and/or worms? Or did NO32 "merely" miss trojans and/or other stuff?

I would also like to see the scan logs of the other scanners. Did you really include joke programs into the test set? If yes: Why and how many?

Regards,
Nautilus
happin_in
join:2003-09-25
09065

happin_in

Member

I notice on the Mks Vir 2004 web site they make the point "The packet is designed for the Polish user. It means that the aim of the program is providing the best possible protection against viruses roaming around Poland. One of the viruses' features is their partly-local character. It means that within the group of viruses particular for a given country there are some specimens from all over the world, as well as local viruses hardly known anywhere else in the world and rarely existing out of that country. As a result, the greatest scope of safety is provided by locally-designed products. Even the best-known, global software companies are not able to react fast enough to the appearance of a big number of new viruses that have not been heard about anywhere else."
Thats an interesting point and for some one like myself i cannot help but wonder if this is a highly effective way of PC security within regions . obviously all anti virus co have standard across the board protection whether you reside in ice land or antartica . How limiting is the across the board protection in comparison to this approach? . Should this be the approach in the future ?
Kobra007
join:2004-06-15
Longwood, FL

2 edits

1 recommendation

Kobra007 to Name Game

Member

to Name Game

Re: Kobra's Antivirus SHOWDOWN results.-----------------------

There was no "Joke" programs in my samples, WTF you guys reading that? *ONE* AV, McAfee incorrectly labeled 2 of them as Joke programs and they were NOT, thats why McAfee doesn't get a 100%. Stop reading between the lines please.

I find it interesting that in every real-world test i've seen, some of the little "Cult" Favorite AV's just flat out don't stack up. In my own tests, they don't stack up either. Then it never fails, the cultists come out of the woodwork and attack the tester, without fail!

Thats ok, ironically, my test results are quite close to some of the more reputable testers out there. I'm building a set of 50,000 samples and will retest again in a month or so, and i'd bet my percentages will be fairly consistant. Its just basic math that tells us that.

I test because I want to know what works and what doesn't and whats hype and whats real. I'm sick of the hype and marketing BS some of these AV companies are throwing out. Talk of "100% never failed on this test" and "Fastest and most accurate scanners" and other crap, and frankly, its just that, crap. My opinion, take it or leave it.
Gavin_TH
join:2003-04-03
Australia

3 recommendations

Gavin_TH to Kobra007

Member

to Kobra007

Re: Kobra's Antivirus SHOWDOWN results.

Well if you aren't going to personally verify EVERY sample and determine exactly what it IS and DOES in real conditions, your test will be taken with a grain of salt. So unpack and disassemble EVERY sample, and run it on a REAL machine (no, VMWare does not count)

Important FACTS:

Just because a VX site says a sample X is virus Y, doesn't mean it is a live working dangerous version of this virus.

Just because antivirus X says sample Y is virus Z, doesnt mean it is a live working dangerous version of this virus.


If you choose to dispute these undeniable facts, consider the test somewhat a failure already.. sorry but those are facts and they are what matters most. One last, most important, well explained point to reinforce what I have just said:

Do you think antivirus vendors take a sample they are sent, and simply add detection ? NO. It must be analysed carefully to determine everything it is capable of, in case it is a legitimate looking application which is hiding a small destructive routine which formats all drives under rare conditions. This is how virus analysts have to treat every sample, and if you arent treating samples with similar care, you are not giving an ACCURATE detection rate at all. And if its not accurate, why bother ?

I commend you for trying, all the best with your test !
Kobra007
join:2004-06-15
Longwood, FL

Kobra007

Member

Thats weird, someone I know in the business says most AV companies either rely on definition sharing, or simple MD5 comparatives. I assume grabbing a few bytes out of a file, and slapping it into a database.

Testing seems to indicate this might be the case too. I'm not so sure I buy in the "Spend hours analysing, running it a real machine, observing its actions, and then decompiling and logging the results.". Few labs really have the capacity to do this, you know that. If they do it, they are either hopelessly behind on their definitions, or they only do it on certain specific samples. Either way, its not too realistic, and i've heard stories from insiders of automated signature adding systems at some companies.

Its not MY job to analyze and spend months testing each sample under each case, and in fact, its rather unimportant to me personally. If a file is on my box thats even REMOTELY malicious, I want an AV/AT product to tell me. I don't want some dude in a lab in Iran deciding should and shouldn't have on my box.

Furthermore, *FEW* products i've noticed really live up to their hype. Heuristics is overused and abused as a catchy phrase by you guys. Seems to me, some people don't even understand what it means, or how to implement it, so they just place a fancy checkbox in their AV to "Wow" the newbs. Because thats about all it is in most AV's. FEW products actually do contain real Code-Emulation, comparative, behavior based heuristics, and I can count those on one hand.

MKS-Vir for example, appears smart enough to pick up fragment tracks of various virus creation tools in files. Even seems to be able to snag small patterns certain virus makers seem to leave behind in their works. Also, it defininately exhibits code emulation, with its ability to flag new keyloggers, dialers, and even brute force password cracking programs its never even seen before.

Those boys know what they are doing.

FF again
join:2003-06-13
Finland

FF again to Kobra007

Member

to Kobra007
Stay Global, Act Local, is the only way to protect u enough. We all live in certain countries and have local ways to surf in the web, only by detecting those local nasties worldwide, makes an av the first class player, never only trust in ITW detection, look at QuickHeal results in various in the Zoo tests.

By the way, my own scanning percents may look a bit low, but I have in those 133 riskware some 125 constructors, keyloggers, polymorphic engines and virtools, which are only in some av's database widely. MKS_VIR 2004 was still better in full protection than Panda Platinum 7, DrWeb 4.31b, AntiVir 6.25.096, Avast 4.1 Home, NOD32 with AH, ClamWin 0.35 and AVG 6.0. Not bad in my mind.

Best regards
FF again!
ghost16825
Use security metrics
Premium Member
join:2003-08-26

1 edit

ghost16825 to Kobra007

Premium Member

to Kobra007
said by Kobra007:
If a file is on my box thats even REMOTELY malicious, I want an AV/AT product to tell me.
The question is where do you draw the line?
Do you have something which detects adware, dialers as well?
What about "potentially unwanted" types like distributed.net clients, leaktest programs or programs which disable DCOM (DCOMulator)?
What about port scanners and vulnerability scanners (Xcan)?
What about "legitimate-capable" programs like ftp servers and irc daemons?
What about IE only malicious HTML?
Here's one for you - what about crippled or corrupted malware which shows characteristics of a common virus but is not a threat?

I would rather have a massive amount of false positives to know that an AV is "working" - but that is only because I run AVs on demand only. This is only because like you, I know that most AVs rely heavily on signatures.
But you can imagine what would happen if all AVs had such "borderline" detection on by default, as well as users turning on realime scanning and automatic cleanup.

And no, I doubt that such in depth analysis is done for the majority of viruses submitted.

Also let's not forget signatures are a revenue stream not out of the box heuristics.

BrettStarr
Premium Member
join:2003-11-07
Las Vegas, NV

1 edit

BrettStarr to Kobra007

Premium Member

to Kobra007
edit: withdrawn. sorry.