Tutorial Anti-Virus & Malware = Myths and Facts

Nikos751

Level 16
Verified
Joined
Feb 1, 2013
Messages
914
OS
Windows 10
Antivirus
ESET
#41
n.nvt, I will thank you for another time for all this valuable information and your time. I read both your guide and this reply. What I understand is that most risks for home users can be prevented with common sense and basic education on safe behavior. This small percentage of nasty malware that use more advanced ways to infect a PC, can either infect you if you accept it to enter your computer, or if you give them priviledges yourself (uac for example). In most cases the difference for the paid product is that with it's whole service, it can help you remove those nasty infections and can give you more info on what infection you have (level of risk, description, tech support etc).
Is this correct?
 
Joined
May 11, 2013
Messages
1,677
OS
Windows 7
Antivirus
Norton
#42
n.nvt, I will thank you for another time for all this valuable information and your time. I read both your guide and this reply. What I understand is that most risks for home users can be prevented with common sense and basic education on safe behavior. This small percentage of nasty malware that use more advanced ways to infect a PC, can either infect you if you accept it to enter your computer, or if you give them priviledges yourself (uac for example). In most cases the difference for the paid product is that with it's whole service, it can help you remove those nasty infections and can give you more info on what infection you have (level of risk, description, tech support etc).
Is this correct?
That is pretty much correct.
 

Jaspion

Level 16
Verified
Joined
Jun 5, 2013
Messages
760
#43
Thanks everybody for your shared opinions. This has been indeed a productive continuation to the original discussion started in this thread,
and it's good that no one has broken this great combo with personal attacks. After all, we're all here to learn and share knowledge.

At this point, one thing still bothers me. I suspect this is a very important issue that has been largely overlooked here. It is the case for Virtual Machine tests in evaluating antivirus/antimalware solutions.

If n.nvt and Littlebits are correct, VMs do not represent real live machines well enough because the virtual system doesn't have the same level of access to the machine's resources, meaning the AV also doesn't have access to all the resources it needs to work properly. Is that correct? Because this would mean that so many users here doing VM tests are just doing little more than playing a type of video-game: it's cool to watch, but doesn't belong to real life.

Another thing I would like n.nvt to clear up is the difference in trial vs. paid. Is the difference only the obvious time limit or is the protection level diminished as well?

Thanks.
 

Nikos751

Level 16
Verified
Joined
Feb 1, 2013
Messages
914
OS
Windows 10
Antivirus
ESET
#44
I feel much better now that I have a realistic idea for what's happening. One last advice from you n.nvt. As I am a home user with no paid product available, do you think that privatefirewall with avira free is a waste of resources and I should only keep something like windows default security, or windows firewall with avira free etc? I still believe for some reason that most known gree av's can improve security even of as system of mine despite I am not a novice user.
 
Likes: Nico@FMA

Nikos751

Level 16
Verified
Joined
Feb 1, 2013
Messages
914
OS
Windows 10
Antivirus
ESET
#45
Thanks everybody for your shared opinions. This has been indeed a productive continuation to the original discussion started in this thread,
and it's good that no one has broken this great combo with personal attacks. After all, we're all here to learn and share knowledge.

At this point, one thing still bothers me. I suspect this is a very important issue that has been largely overlooked here. It is the case for Virtual Machine tests in evaluating antivirus/antimalware solutions.

If n.nvt and Littlebits are correct, VMs do not represent real live machines well enough because the virtual system doesn't have the same level of access to the machine's resources, meaning the AV also doesn't have access to all the resources it needs to work properly. Is that correct? Because this would mean that so many users here doing VM tests are just doing little more than playing a type of video-game: it's cool to watch, but doesn't belong to real life.

Another thing I would like n.nvt to clear up is the difference in trial vs. paid. Is the difference only the obvious time limit or is the protection level diminished as well?

Thanks.
I thought the same thing as you some seconds ago and it will be nice to know what's really up about vm's.
About trial and paid products, I believe it's up to the vendor and what it provides in it's trial (30 for example)
 
Likes: Nico@FMA
Joined
May 11, 2013
Messages
1,677
OS
Windows 7
Antivirus
Norton
#46
I feel much better now that I have a realistic idea for what's happening. One last advice from you n.nvt. As I am a home user with no paid product available, do you think that privatefirewall with avira free is a waste of resources and I should only keep something like windows default security, or windows firewall with avira free etc? I still believe for some reason that most known gree av's can improve security even of as system of mine despite I am not a novice user.
Ohh yes there is generally nothing wrong with free antimalware, its better then nothing and good enough for a general level of protection.
And no I do not think you are wasting your resources as I mentioned earlier in my posts.
As I said it really comes down in what you require, know about and feel comfortable with.
It gets the job done... mission accomplished right?
 
Likes: Nikos751
Joined
May 11, 2013
Messages
1,677
OS
Windows 7
Antivirus
Norton
#47
I thought the same thing as you some seconds ago and it will be nice to know what's really up about vm's.
About trial and paid products, I believe it's up to the vendor and what it provides in it's trial (30 for example)
Well from a vendor point of view, they NEVER are going to give you the full functionality in a free product if the got a premium package for sale.
That would be killing your own product.
See my point? And it really does not matter if its just support you pay for or additional tools, functionality and such.
There is always something (Or a bunch of things) that a paid product does better then a free version.
Why else selling it? otherwise they might as well sell hot air.
 

Nikos751

Level 16
Verified
Joined
Feb 1, 2013
Messages
914
OS
Windows 10
Antivirus
ESET
#48
Ohh yes there is generally nothing wrong with free antimalware, its better then nothing and good enough for a general level of protection.
And no I do not think you are wasting your resources as I mentioned earlier in my posts.
As I said it really comes down in what you require, know about and feel comfortable with.
It gets the job done... mission accomplished right?
Mission accomplished, you are one of the most knowledgable persons here without being half-educated on security related things.
 

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,425
OS
Windows 10
Antivirus
Default-Deny
#49
If n.nvt and Littlebits are correct, VMs do not represent real live machines well enough because the virtual system doesn't have the same level of access to the machine's resources, meaning the AV also doesn't have access to all the resources it needs to work properly. Is that correct? Because this would mean that so many users here doing VM tests are just doing little more than playing a type of video-game: it's cool to watch, but doesn't belong to real life.
exact, some AVs features, even can't work as they should in VMs so unaware "wannabe expert-testers" think that the solution is bypassed.
when i did virus-testing , i always used a old spare REAL system, to truly measure the real potential of the solution. VMs approach real system but they ARE not real system; the nuance is very important.

Another thing I would like n.nvt to clear up is the difference in trial vs. paid. Is the difference only the obvious time limit or is the protection level diminished as well?
depend the solution, but mostly it is just time-limited so you can judge the product effectiveness. Trialware are made to give you a taste of the product so you may purchase it, where Free softs is just to gain more audience and maybe potential paid-customers.
 
Joined
May 11, 2013
Messages
1,677
OS
Windows 7
Antivirus
Norton
#51
exact, some AVs features, even can't work as they should in VMs so unaware "wannabe expert-testers" think that the solution is bypassed.
when i did virus-testing , i always used a old spare REAL system, to truly measure the real potential of the solution. VMs approach real system but they ARE not real system; the nuance is very important.



depend the solution, but mostly it is just time-limited so you can judge the product effectiveness. Trialware are made to give you a taste of the product so you may purchase it, where Free softs is just to gain more audience and maybe potential paid-customers.
100% spot on that's why I mentioned that member testing is nice for reference but does not hold much real info.
 

moonshine

Level 6
Verified
Joined
Apr 19, 2011
Messages
1,222
OS
Windows 10
Antivirus
ESET
#52
Testing with a Virtual Machine VS. Testing with a real system

It's the little things that matters. :D
 
Likes: Nico@FMA

cruelsister

Level 36
Content Creator
Verified
Joined
Apr 13, 2013
Messages
2,577
#53
Without getting overly involved in this topic I'd just like to make 2 points:

1). Paid is better than Free- This statement speaks to the ignorance of a company's business model more than having any basis in fact. Two examples of this would be Baidu and Qihoo (no WAY I'm mentioning Comodo here). Qihoo, and to a more recent and lesser extent Baidu, use the Anti-malware application as a "loss-leader". Basically they want folks to like BAV and Q360 to draw them into using their respective browsers, which run their respective Search Engines, from which they derive the bulk of their revenue.

To put it in perspective one must look at the market cap (ie. total market value of the company as a whole) of these organizations. Using Symantec as a baseline which has a market cap of about 13.5 billion USD, Baidu is really up there at about 56 billion, and upstart Qihoo is in a virtual tie with Symantec. So one can easily see these aren't fly-by-night organizations by any means and have consistently put money back into their security products to make them better.

So instead of saying a Free Product can't compete with a Paid product, one should question how someone like AVG (market cap 1 billion USD) can compete with Qihoo!

2). A statement was made that the testing done on Malware Hub is a little value. Perhaps this would be indeed the case if occasionally 10 or so rinky-dink samples were run every now and then. But that isn't the case, is it? Since I've come on board at MT I've personally run in excess (EASILY in excess) of 10 thousand samples, all of which were D+2 or newer, on primarily Q+CF (although I always find some time to mock other products). This combination has consistently shown to provide excellent protection and I can only assure you I know what I am doing. And it is Free.

But should we dismiss this testing and instead drool over the results of things like the pathetic AV-C results? I think not.

(note to friend Jasp- my tests are on live test boxes. I'm also leery of doing any realistic tests in a VM, at least when samples are run. On demand scanning only wouldn't be an issue though if that's what others are using)
 

Littlebits

Retired Staff
Joined
May 3, 2011
Messages
3,868
#54
Testing malware in virtual environments will never give you correct results. Just as mentioned by Umbra Polaris, some protection and detection features will fail to work properly because they will need direct access to Windows kernel, the same applies to Windows features like UAC and secure boot. On-demand scans of malware packs don't tell you nothing about a product's protection features.

If you want to test like a professional, it requires a lot of work and takes time.
-You will need a dedicated testing system with updated Windows OS installed.
-After the all Windows Updates are applied you will need to make an disk image to restore after testing the malware samples.
-To make sure that you get correct results, every time the testing system gets infected, you will need to restore the disk image before continuing to the next sample test.
- Test the protection blocking features of each selected product, on-demand scans are not important since protection blocking features of many products can still protect against infection even though the on-demand scans may not detect anything.
- Besides of testing live malware samples, mix in some popular safe files and test for false positives as well.
- Make sure that your malware samples are current and still available in the wild for accidental download. Testing remote samples that most users will not likely encounter will give to false results. According to Microsoft, malware samples that have not been active in the wild for over 90 days with no reported infections are dead bad samples. Just because you can find the samples and manually download them from a malware hosting site doesn't mean that they are in the wild for accidental download. Some samples never go in the wild, they just sit on hosting sites and stay remote where only malware hunters can find them and test them, these are poor samples to test if you want accurate results.
- Make sure that the samples are actually real malware, just because they are detected by an AV doesn't mean they are real. False positive detection has become a problem with many AV's. You will have to observe the samples after they run to see what they do, because each sample will have to run on the testing system one at a time to verify that they are indeed real malware. Then you will have to restore disk image between running each one to make sure there is no cross infection between each sample.
-Depending on the number of samples tested, it will probably take several months to complete the test, by then many of the samples used will be dead and still will not show an accurate picture of the current active malware in the wild.
-If you have several hundred exact testing systems then it saves a lot of time because you won't have to keep restoring disk images. It also helps if you have a testing crew, too much work for just one person to do.

So who wants to test like a professional?? I have better things to do with my time.

Enjoy!! :D
 
Joined
May 11, 2013
Messages
1,677
OS
Windows 7
Antivirus
Norton
#55
Without getting overly involved in this topic I'd just like to make 2 points:

1). Paid is better than Free- This statement speaks to the ignorance of a company's business model more than having any basis in fact. Two examples of this would be Baidu and Qihoo (no WAY I'm mentioning Comodo here). Qihoo, and to a more recent and lesser extent Baidu, use the Anti-malware application as a "loss-leader". Basically they want folks to like BAV and Q360 to draw them into using their respective browsers, which run their respective Search Engines, from which they derive the bulk of their revenue.

To put it in perspective one must look at the market cap (ie. total market value of the company as a whole) of these organizations. Using Symantec as a baseline which has a market cap of about 13.5 billion USD, Baidu is really up there at about 56 billion, and upstart Qihoo is in a virtual tie with Symantec. So one can easily see these aren't fly-by-night organizations by any means and have consistently put money back into their security products to make them better.

So instead of saying a Free Product can't compete with a Paid product, one should question how someone like AVG (market cap 1 billion USD) can compete with Qihoo!

2). A statement was made that the testing done on Malware Hub is a little value. Perhaps this would be indeed the case if occasionally 10 or so rinky-dink samples were run every now and then. But that isn't the case, is it? Since I've come on board at MT I've personally run in excess (EASILY in excess) of 10 thousand samples, all of which were D+2 or newer, on primarily Q+CF (although I always find some time to mock other products). This combination has consistently shown to provide excellent protection and I can only assure you I know what I am doing. And it is Free.

But should we dismiss this testing and instead drool over the results of things like the pathetic AV-C results? I think not.

(note to friend Jasp- my tests are on live test boxes. I'm also leery of doing any realistic tests in a VM, at least when samples are run. On demand scanning only wouldn't be an issue though if that's what others are using)
Let me address your points one by one.
1: Within the industry there is a market & business model I will not deny that, and neither will I deny that there is a fair amount of ignorance, which seems to discredit free products and runner up models from lesser companies.
I personally believe that a fair share of hostility keeps things interesting.
With regards to using Symantec as a base line is not really holding any ground because in my many posts I mentioned several vendors who have pretty much a equal status. So you can replace Symantec with any comparable vendor for example Sophos, Kaspersky or F-Secure.
One of the reasons I pointed out Symantec and Sophos for their business and enterprise endpoint & management products is simple.
They control the market in virtually everything while they do not have the biggest market share, but they only control the market at this point due to the fact that the products they do offer in this respective market provide by far the best solutions for high end companies.
Even Kaspersky does not even come close to the level Symantec and Sophos are at. Obviously on a personal note I do not pick a favorite here as I would install Symantec, Sophos, Kaspersky or even Mcafee ANY day if this would be fitting our own company and security strategy.

From a home client perspective you are partially right free does not necessary have to be less then paid solutions, however from a business point of view there is NOTHING that a free solution can offer other then a waist of time and a placebo effect.
Again this has nothing to do with the free solution as being a lesser scanner but you have to look at this is a much broader perspective.
A company does not need just a scanner, spam filter and a few gadgets. There is so much more that come into play when a company is going to sign contracts with security companies like Symantec and Sophos.
And from this perspective you can hardly say that its ignorance or that Free is just as good as paid solutions there is just no way you can even remotely compare them.
So with this in mind you are partially right from a "home" perspective but you have to agree to from a industry point of view I am spot on.
(If not then I have been sleeping for the past 15 years lmao)

Also the comparison based on market cap and share really does not hold any ground, as one security solution is perfect for company x while others are more for the masses and not tailored for company x.
And if you read my comments exactly as they are written then you understand that I draw a clear line between home and industry standards when it comes to security.

So yes let me confirm my previous statement that free does not match up to paid solutions within their respective markets.
And that's really what its all about when you talk about security.

In regards to testing I think some of you do not understand the idea behind testing in the first place, a member test or a independent lab test is a theoretical benchmark based upon various criteria and does not always take into account the full spectrum of a solution and its addon solutions, next to it it does not take into account specific infrastructure configurations.

Example if I put a antivirus program in the middle of 100k live viruses then this security product might detect 80% and lets say it would remove or block another 75% (Incl false positives)

But if I put that same security package on a company infrastructure with all the right policies in place then suddenly the same product can stop virtually ALL the malware because the system itself really does not allow the infection to take place in the first place.
Just saying.

So again from my point of view testing is a essential part but it should be taken with a grain of salt, and using the testing results as a baseline to judge if a program is good enough really is going to give you a placebo effect if you take into consideration what I just explained.

I could go much deeper into this but then I fear that we will lose track of the original context of this topic, and I fear that most others might get lost in industrial mubo jumbo.

Again I am not picking favorites and neither am I painting a wrong picture here, because most of the posters in this topic like your self made some valid points, but things need to be taken into consideration and the info must be seen from a larger perspective, rather then from a single computer & home user perspective.
Testing results and detection rates and personal experiences based upon simple idea's and low level testing and evaluating really does not stick.

I hope this explains some of your questions and ideas.
 
Likes: Umbra
Joined
Jan 28, 2014
Messages
417
#56
Thanks a million n.nvt for sharing your articles here, it is indeed very educating polished with little joke that made me laugh a lil bit and entertaining. Yes it is quite true, I agree with most of your guide written here. I even read this guide over and over to make me really understand. Anyway..thanks for share, very well written, well done :)
 
Likes: Nico@FMA

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,425
OS
Windows 10
Antivirus
Default-Deny
#58
None, that its beauty.

If you really really want, you can install RKhunter , an OD scanner (with some few FPs)