- Oct 2, 2014
- 805
Antivirus in general are pretty much weak on default settings. Avast can do a lot more on custom settings.
AV-Comparatives May 2017 test. Windows Defender did great!
- Thread starter Faybert
- Start date
Antivirus in general are pretty much weak on default settings. Avast can do a lot more on custom settings.
- May 3, 2013
- 82
if we think like that we will change our AV every month or two depending on which AV take the highest score
- May 3, 2013
- 82
and the score decreases if the AV depends on user to handle malwares (like Emsisoft)
- Mar 15, 2011
- 13,070
Well there are so many factors why some AV's managed to got a 100% in the detection rate result.
One of the possible is the ratio of samples, where majority were trojans and the rest are other threats which can be easily detected due to prevalence rate.
Nevertheless, AV-Comparatives will not consider the detection came from BB and HIPS that needs user interaction; unless blocked automatically by default.
One of the possible is the ratio of samples, where majority were trojans and the rest are other threats which can be easily detected due to prevalence rate.
Nevertheless, AV-Comparatives will not consider the detection came from BB and HIPS that needs user interaction; unless blocked automatically by default.
- Feb 24, 2017
- 1,661
It's a good product, but their Anti-ransomware module is just weak and too forgiving, haven't stopped any ransomware fully, always a few files encrypted.
- Jul 22, 2014
- 2,525
thanks for answers and clarifications I have a respect for our malware hunters and I did not want to have something offensive about any of the work that is being done there.I just said my opinion and if it was disrespectful to any of our member I am sorry.you said some logical things and it's a debate(of course not here) . of course, we can resolve some problems in hub, for example having a red line for testing(4 hours for example) and guiding people about how they should dynamic test some products and banning the dynamic test of some products that can not be tested(guiding about settings for testing)
about some vendors detecting the hub's samples and some not, sometimes, in my opinion, the quality of a sample is important, of course, a product should detect all the threats but sometimes some products focus on what samples are in the wild between the users, IMO some samples that are in forums are not in the wild and their detection is not that important as a quality sample that is affecting users in real world, quality does not mean just the good coding of the sample,but, how many users are seeing it in real world, is it really harmful?, is it PUP or not?, and ... . my problem is with fanboys and people who are referencing the hub(as you said one vendor maybe doing what I said about detecting hubs sample. thanks for this logic). referencing the hub is ok but not for showing people what they should choose.
Another quick input..
Normally, when a new sample gets detected -if detected very close to its release- AV don't know if it will be in the wild or not....an even if it is not in the wild, since they got a copy of it why shouldn't they add detection (consider it could get viral later)?
AV should detect all MW they get in touch with and even 0 days, that's what user want and expect...nobody wants to get infected by a MW, in the wild or not.
We cannot test within 4 hours just because we live in different timezones and testing is not our job (we do it when we can, we are not available 24/7).
Dynamic test is "easy": all samples missed on static are executed.
We check if AV blocks the MW on run, then we look in memory, in autorun locations, on hd and with 2nd opinion scanners.
If you know a better way to run dynamic tests or to better detect missed samples we are more than happy to hear your as others suggestions.
- Jan 8, 2017
- 1,318
I use G Data and the current version is lightweight, I do not feel any impact on my machine
- Jan 17, 2014
- 486
They must be smoking the good stuff in poland...
If you set up avast with everything to max with hardened mode on aggressive this thing is damn near impenetrable. Noticing I say "near" because nothing really is impenetrable.
You are native Polish speaker. That is why you get fast support from Datpol and they fix what you report.
English language reports - the responses are not so good.
- May 22, 2017
- 251
Another quick input..
Normally, when a new sample gets detected -if detected very close to its release- AV don't know if it will be in the wild or not....an even if it is not in the wild, since they got a copy of it why shouldn't they add detection (consider it could get viral later)?
AV should detect all MW they get in touch with and even 0 days, that's what user want and expect...nobody wants to get infected by a MW, in the wild or not.
We cannot test within 4 hours just because we live in different timezones and testing is not our job (we do it when we can, we are not available 24/7).
Dynamic test is "easy": all samples missed on static are executed.
We check if AV blocks the MW on run, then we look in memory, in autorun locations, on hd and with 2nd opinion scanners.
If you know a better way to run dynamic tests or to better detect missed samples we are more than happy to hear your as others suggestions.
Allow me to help set some things straight here, as one of my biggest pet peeves is misinformation whether intentionally or other wise. This stems from the novice trying to assert themselves as some kind of GURU, attempting to inflate their egos, to the Developers, it does not matter, I will state what needs to be said.
The HUB:
The Hubs current and long time standing set up was not done so for "Product vs Product" comparing detection rates ect. It was set up and designed to run Static and Dynamic test on fresh samples to SUBMIT missed samples to Vendors and any BUG related issues that may have been produced along the way. This whole set up is intended to help the Developers and ALL their users, by helping improve products.
The Malware Hunters:
What they do for this Hub, can never receive enough recognition and praise. It is not a simple thing to go to a site like Malwr/Hybrid-Analysis, dig through samples finding all of the freshest, under 25 detection samples they can, submit them to Virus Total to ensure and post links to the detection rates, Submit them then to a Automated Sandbox to make sure they are indeed malicious, record all theses URLS from both places upon submitting to add to their post or the pack, then they have to execute the samples one at a time to make sure they are working samples, to weed out any corrupted, before they can zip the pack up, upload it to a sharing site, then create a thread with all the URLS and the sample pack. This takes many hours for one pack. These Hunters and Testers are out standing, and sacrifice much to help others world wide.
The Testers:
They sacrifice time as well, as it is no easy task to test correctly, meaning they need to run the Static test, then the dynamic, upon which every time a sample is executed they have to monitor the whole system, manually record changes, and take snapshots while doing so, this includes digging through the system in between each sample to all common places malware/files drop on the system for recording. If done correctly a small pack can take up to an hour to an hour and a half. They also need to keep everything organized so that when finished they can upload all of it to the thread.
I truly hope this reaches some of you, as these guys in the HUB deserve much praise for the efforts they impart.
Last edited:
- Jul 13, 2014
- 766
thats not what the MH tests show
(lol, joke intended
)but seriously, with the hardening settings that are posted in the Avast section, the 2017 version of Avast gets pretty damn good and not too heavy on the resources either
exactly.
this exactly. How many labs are out there doing these tests? and how many other youtubers too? (no offense to the good youtube testers
)forget every month or two, you will be changing security setup every week or so lol.
lol thats what i said above, since thats what the general consensus seems to be around here too. by default it is not super good of course but after hardening it is much much better.
amen to that !
the labs that do this testing and put out reports, that is their job as in they get paid to do that lol
people in the hub doing testing on their own time are either, as you said, submitting stuff to AV companies to help them improve detection or product, or just want to see how their AV software config does on malware samples.
this is not directed to S3cur1ty 3nthu5145t, it is for others who take lab tests over MH tests or other "educated testers":
if you go to the hub and see the threads, you will see that the samples uploaded are actually pretty damn new. Probably not 0 hour old, but mostly 0 day old or so for sure.
So if you see thread posted, then people did their tests soon after, those results are pretty good basis to draw some conclusions on once you see a trend forming. But of course you cant draw 100% conclusion, even when you compile data from many (maybe 100s or more) different tests and account for time frame etc. But even then, there will be margin of error, standard deviations, confidence interval blah blah blah (from statistics). The lab's don't make or provide any of that type of analysis.
Only: x samples of this malware, y samples of that malware, z samples of that malware - no idea how old or new, settings used (without proof they can say what they want, but who knows), maybe the specific samples they chose are somehow biased to begin with to be detected better by some software vs other software, etc.
Then they say sometimes even that if user is presented with a popup, but choice is given to user, that counts against the software in that test...why?? I can understand the result being thrown out or not included in the overall result maybe, or classified under "User prompt" or somthing...but not understand why the tester counts that against the AV software.
If you are browsing this forum, doing work in MS word/excel/etc or ANY legitimate software and all of a sudden or randomly if your AV software pops up and says "this file is flagged/stopped because we think its bad, what you want to do?" and you are doing legitimate work or nothing questionable at least.... then who in their right mind would say "yes allow" especially on a randomly named file (as many malware ends up creating/being)??
Of course if you are doing questionable things, or other legit stuff that conflicts with AV software (ex, testing/creating software with unsigned files is one i can think of off the top of my head, but many other legit things that set off AV software sometimes, as you know...) and you see a popup from AV, then if you click yes allow for whatever file then if AV software fails to protect, you are screwed.I have a question:Another quick input..
Normally, when a new sample gets detected -if detected very close to its release- AV don't know if it will be in the wild or not....an even if it is not in the wild, since they got a copy of it why shouldn't they add detection (consider it could get viral later)?
AV should detect all MW they get in touch with and even 0 days, that's what user want and expect...nobody wants to get infected by a MW, in the wild or not.
We cannot test within 4 hours just because we live in different timezones and testing is not our job (we do it when we can, we are not available 24/7).
Dynamic test is "easy": all samples missed on static are executed.
We check if AV blocks the MW on run, then we look in memory, in autorun locations, on hd and with 2nd opinion scanners.
If you know a better way to run dynamic tests or to better detect missed samples we are more than happy to hear your as others suggestions.
when a sample gets detected, how do you know how close to its release it was detected?
by looking at the compiling time or files inside the malware?
Just curious how
Dynamic Testing
I think the poster you replied to was talking about how some people turn certain protections off in some AV software before they execute the sample for dynamic testing maybe?
but i think i understand the reason they turn off those certain protections (cuz if they are left on, the software will detect the sample statically as it did for static test...which means they will never get to the dynamic test point lol).
I think he means that maybe some of those protections they disable, which we think are responsible for static detection only, might actually play a role in dynamic detection as well under the hood somehow? So maybe different way to test dynamic would be to have outdated definitions but leave all protection options enabled (to try to rule out that maybe they still play a role in dynamic detection under the hood?) So that means definitions only updated to before the malware being tested had definitions added by the software being used . So then static detection by definition wouldn't work for that AV, because it doesn't have definitions for it yet locally, so it has to rely on dynamic detection protections once malware is executed. But i dunno how that would be done, especially for any cloud based AV...
- Jul 22, 2014
- 2,525
@kamla5abi,
we can upload only samples that are 0-day or that were uploaded the first time on Virustotal max 10 days before.
When we get special samples, mostly new ransomware, that already have detection >25 AV on VT we might still upload them to test BB/non signature detection of AV.
In this case we disable " signature" as "cloud" detection before executing the sample...for some AV it is easy, for some less, for some it is not
possible.
we can upload only samples that are 0-day or that were uploaded the first time on Virustotal max 10 days before.
When we get special samples, mostly new ransomware, that already have detection >25 AV on VT we might still upload them to test BB/non signature detection of AV.
In this case we disable " signature" as "cloud" detection before executing the sample...for some AV it is easy, for some less, for some it is not
possible.
- Jun 5, 2014
- 220
exactly the point is some of this av's can not be tested dynamically yet you see someone tests them and others in other threads make a judge.I have a question:
when a sample gets detected, how do you know how close to its release it was detected?
by looking at the compiling time or files inside the malware?
Just curious how
Dynamic Testing
I think the poster you replied to was talking about how some people turn certain protections off in some AV software before they execute the sample for dynamic testing maybe?
but i think i understand the reason they turn off those certain protections (cuz if they are left on, the software will detect the sample statically as it did for static test...which....
- May 22, 2017
- 251
I am curious why you state some Av's can not be tested dynamically, they have real time protection, right?
- Jun 5, 2014
- 220
the part where with high detection samples in hub, they disable some components and test dynamically. i mean this kind of dynamic test.
On the other hand,avast is causing problems for the CIA:
[Sarcasm Alert] New (In)dependent tester awards CIA-graded certification
The tests in the hub are good but NOT accurate as it too binary centric and not testing the real infection sources,chains and vectors. (URLs,Downloading the malware(some AV's like avast have components to protect on download eg:cybercapture,filereputation(DRep) )
You have to find the right balance between being too binary centric and testing official entry points and chain.Also there has to be some relation with the binaries and their sources,eg: whats the point of testing something that's source is already dead or dies in a hour and also in my experience there tends to be lot of dead malware samples and some samples won't even do their dirty stuff on a VM so Behaviour blockers won't trigger
Last edited:
- May 22, 2017
- 251
Try reading this post a few above yours again, maybe you can answer your own questions, it is why I posted it, so everyone would understand.On the other hand,Avast is causing problems for the CIA:
[Sarcasm Alert] New (In)dependent tester awards CIA-graded certification
The tests in the hub are good but NOT accurate as it too binary centric and not testing the real infection sources,chains and vectors. (URLs,Downloading the malware(some AV's like Avast have components to protect on download eg:cybercapture,filereputation(DRep) )
You have to find the right balance between being too binary centric and testing official entry points and chain.Also there has to be some relation with the binaries and their sources,eg: whats the point of testing something that's source is already dead or dies in a hour and also in my experience there tends to be lot of dead malware samples and some samples won't even do their dirty stuff on a VM so Behaviour blockers won't trigger
AV-Comparatives May 2017 test. Windows Defender did great!
Similar threads
