Emsisoft Anti-Malware 9 Final Test (MalwareDoctor)

[kmr1684]

It's not the most realistic way to test security software, as some malware can detect their environment. But, it is the cheapest viable option for most people.

Use of VM and Virtualisation in the real world is not useless.

some malware can detect their environment.
good words, that is why real system testing is different, for eg: if you execute any rootkit or bootkit, then it will shoe the difference it will try to execute and detect and delete itself without any trace. still wants live example please look into the malware pack posted by malware1 namely 2014-06-22_53.7z, in this pack name of the file is d94ec06(10) to (14) i don't know specifically which one, but if executed in sandboxie it is detecting it and exit from running further and delete itself and traces of all execution of file. why i am sharing this is i tried in my real system not in VM to check how my anti-V&M hips working sadly nothing given warning program started and detected running inside snadboxie, poof deleted itself and all traces of running.

 

[Countryboy_MN]

Great review Doc.

 

[Overkill]

If I use an old pc to malware test, what can I do to prevent any malware from possibly effect other pc's on my network?

 

[Overkill]

Well what malware can infect other pc's other than worms? Also, can some infect the router itself?

 

[Deleted member 178]

Well what malware can infect other pc's other than worms? Also, can some infect the router itself?

yes there is some router bioskits but if it happens just reflash the router.

 

[Deleted member 178]

what are you saying its okay that malware disables the internet and BB does nothing about it i had an av last year that let a rootkit in while its BB did nothing about it

the problem is not if the BB blocked it or not, the problem is that it was done in a VM , and so the result can't be taken as a real result and can't be used to report it as a flaw , if it was done in real system then the devs can correct the soft properly.
when i watch youtube "Vm-inside" tests , i just watch the UI and resources usage then stop when the malware test begins.

in our case EIS'BB internet was cut but:

- was it the full effect of the malware ? there is 90% chance it is but the 10% left is not acceptable enough to me.
- was it a voluntary effect and consequence of the malware or a side-effect because the malware was running in a VM?
- does this cut will happen in a real system? or the malware will do worse damage but was restrained by the VM so this cut?
- it is reproducible in real system?

You see, too many questions because it was done in a VM; if it was on a real system , i will say nothing then i can produce some legit conclusions but i can't because it was on a VM.

you (every tester) want be a real tester , go buy a old cheap laptop with WinXP/7 on it and then i will give far more credits than now.

Why do you think medicine/cosmetic firms employ real people as test subjects for their brand new products, it is because a lab simulation NEVER replicates all the events and hazards a real system do.

when i did closed-beta tests, vendors ask me details about a bug/issue i found , when i said it was on a VM, they all ask me to reproduce it on a real system to cross-check it. why do you think they ask ? because they know that VM testing are not 100% accurate and they don't have time and money to waste to correct a VM-inside bug.

rules/guideline about reviews i made:

- Prefer real system than Virtual Machines (like using an old computer); VMs may have some negative impacts on some security solutions.
If you use VMs, put enough dedicated RAM so the system will not be slowed; also prefer WinXP, more malwares will works on it than a recent OS.

 

[Deleted member 178]

OK !

i have just got an explanation via mail , from Emsi developer, why the internet connection was cut, it is nothing to do with a flaw; i just wait his authorization to copy the content of the mail here.

then you will know why i created some rules for the reviews , this is the perfect example.

thank you.

 

[nsm0220]

the problem is not if the BB blocked it or not, the problem is that it was done in a VM , and so the result can't be taken as a real result and can't be used to report it as a flaw , if it was done in real system then the devs can correct the soft properly.
when i watch youtube "Vm-inside" tests , i just watch the UI and resources usage then stop when the malware test begins.

in our case EIS'BB internet was cut but:

- was it the full effect of the malware ? there is 90% chance it is but the 10% left is not acceptable enough to me.
- was it a voluntary effect and consequence of the malware or a side-effect because the malware was running in a VM?
- does this cut will happen in a real system? or the malware will do worse damage but was restrained by the VM so this cut?
- it is reproducible in real system?

You see, too many questions because it was done in a VM; if it was on a real system , i will say nothing then i can produce some legit conclusions but i can't because it was on a VM.

you (every tester) want be a real tester , go buy a old cheap laptop with WinXP/7 on it and then i will give far more credits than now.

Why do you think medicine/cosmetic firms employ real people as test subjects for their brand new products, it is because a lab simulation NEVER replicates all the events and hazards a real system do.

when i did closed-beta tests, vendors ask me details about a bug/issue i found , when i said it was on a VM, they all ask me to reproduce it on a real system to cross-check it. why do you think they ask ? because they know that VM testing are not 100% accurate and they don't have time and money to waste to correct a VM-inside bug.

rules/guideline about reviews i made:

OMG Umbra Polaris, malwaredoctor vm was working fine trust me i know him very well and i think you are protecting them and protecting their errors they make and besides Umbra Polaris you are not a real tester to me were is a video that you made on any av review because if you saying that we are fakes then where is a video that you made of any av's that you test and besides Umbra Polaris am sick of this junk that you always said that make us av reviews mad

 

[Deleted member 178]

There the explanation:

The connection drop is not caused by EAM or malware. The sample pack included two installers for Baidu Anti-Virus (Chinese and Japanese) as can be seen when you look at the "Signer" row at 12:50 and later (btokp_30448.exe and dcymvin_30627.exe are the files in question). Long story short: It appears Baidu Anti-Virus and EAM aren't compatible with each other which breaks the internet connection. Removing either Baidu or EAM will fix the connection. Running the same samples he ran but without the Baidu installers won't result in a loss of internet connection either.

thanks to him for the clear explanation.

it is what i put this rule:

2- Avoid opening multiple malware at same time, it will slow the system and may impact the software. In real world, nobody executes a dozen of malware in same time.

http://malwaretips.com/threads/video-written-reviews-guidelines-rules.22362/

 

[ALi]

Thanks for great review

 

[MikeV]

Darth Umbra use to say:

"my young disciple, nothing is free in this world, you will pay in a way or another, as the Jedi paid for believing the galaxy was free of the sith"

HA HA HA HA HA .....The Sith will rule the Galaxy......

 

[nissimezra]

There the explanation:



thanks to him for the clear explanation.

it is what i put this rule:



http://malwaretips.com/threads/video-written-reviews-guidelines-rules.22362/

i still don't understand what u trying prove here, we all know that these tests aren't 100% accurate even if it'll be done on real pc's not VM. the fact that all these tests relying on MBAM and HMP to tell that the sys is clean or not without even have a look on APP DATA, program data win, sys 32, reg, thats more then enough to make these tests not correct\accurate.

and of course running 20 malwares at the same time may prevent from the AV react.

the problem is not the VM, thats maybe just another thing that making these tests not accurate, but the way it's done and totally rely on other software scanners to see if the sys is clean thats the major problem not VM.

But we thank them for the work investing on the reviews.

 

[Deleted member 178]

i still don't understand what u trying prove here, we all know that these tests aren't 100% accurate even if it'll be done on real pc's not VM.

because i had proofs, from my own experience, that VMs hampered some security suites, i did many tests at the time MalwareTips was not so popular , we had very few malware-testers unlike now and vendors like webroot, Comodo , and some others had less good results in VMs than real systems (don't ask me why i can't explain since i am not a developer).

it is why i ask to testers to specify in what environment it is done , VM or real , at least watchers knows it and can adjust their opinion accordingly.

when military buy a new combat plane , they dont just watch videos or use a plane simulator; they send their pilots to test it first.

for me it is the same, i want a real-environment test so i can say , "ok this product is good at the moment the test was done , i can go further and test it myself or recommend it to someone"

the fact that all these tests relying on MBAM and HMP to tell that the sys is clean or not without even have a look on APP DATA, program data win, sys 32, reg, thats more then enough to make these tests not correct\accurate.

i agree to this, a really serious test should be done with forensic tools (like FMIAS, the one our member N.nvt created) , one log/snapshot of full system took before the infection and one after , then compared.

and of course running 20 malwares at the same time may prevent from the AV react.

Hence rule n°2

the problem is not the VM, thats maybe just another thing that making these tests not accurate, but the way it's done and totally rely on other software scanners to see if the sys is clean thats the major problem not VM.

i agree again, but at least i want reduce the margin of error by avoiding VMs tests

But we thank them for the work investing on the reviews.

yes i don't deny that , and i thanks them because , i dont have the time and resources to do it myself; and by putting some rules/guidelines, i want help them to gain a wider audience and look more professional.

 

[nissimezra]

because i had proofs, from my own experience, that VMs hampered some security suites, i did many tests at the time MalwareTips was not so popular , we had very few malware-testers unlike now and vendors like webroot, Comodo , and some others had less good results in VMs than real systems (don't ask me why i can't explain since i am not a developer).

it is why i ask to testers to specify in what environment it is done , VM or real , at least watchers knows it and can adjust their opinion accordingly.

when military buy a new combat plane , they dont just watch videos or use a plane simulator; they send their pilots to test it first.

for me it is the same, i want a real-environment test so i can say , "ok this product is good at the moment the test was done , i can go further and test it myself or recommend it to someone"



i agree to this, a really serious test should be done with forensic tools (like FMIAS, the one our member N.nvt created) , one log/snapshot of full system took before the infection and one after , then compared.



Hence rule n°2



i agree again, but at least i want reduce the margin of error by avoiding VMs tests



yes i don't deny that , and i thanks them because , i dont have the time and resources to do it myself; and by putting some rules/guidelines, i want help them to gain a wider audience and look more professional.

we all agree that these tests are not accurate and should not rely on them so lets just enjoy watching them and believe it or not even from these test there are many things to learn from them, it is not only to see if the system clean or not, watching how the web filter react and many other things can be very useful

and thanks all for the tests and hope to see more of them with or without VM

cheers