Kaspersky Cloud Free Vs 1000 recent samples test

kC77

kC77

Level 5
Thread author
Verified
Well-known
Aug 16, 2021
229
1,112
369
windows 10 vm, with kaspersky cloud free, v's 1000 recent samples.....

not much to say...
Malware was allowed to run and did trigger my IDS

KAV free - IDS.jpg

Gif of test Gif of test download from dropbox 84mb
 
  • Like
Reactions: Sunshine-boy, Venustus, Viking and 3 others
Andrew3000 said:
Which IDS are you using?
Click to expand...
the one built into the UDM-Pro
store.ui.com

Dream Machine Pro

All-in-one, enterprise-grade UniFi OS Console and security gateway designed to host the full UniFi application suite. Connect the Dream Machine Pro with a USP RPS to create an uninterruptible network. Features: Pre-installed UniFi Network application LAN ports: (8) GbE RJ45, (1) 10G SFP+ WAN...
store.ui.com store.ui.com
 
  • Like
  • Thanks
Reactions: Venustus, Dave Russo and Andrew3000
Trooper said:
What tool is this you are running? Looks good.

View attachment 265439
Click to expand...
Hi its the IDS (intrusion detection system) built into my gateway (udm pro) it flags up and blocks malicious traffic, it was the alerts from that during the test that let me know the machine was compromised.
i would imagine without this, many of these failure tests from Bit defender/Kaspersky would of been a lot worse as the payloads could of got delivered without this on

you can customize what it detects and have this allowed disallowed etc on different vlans...
fw2.jpg
fw.jpg

idsmap.jpg


And the UDM has good geoblocking built in to block rogue countries completely
 
Last edited:
  • Like
  • +Reputation
Reactions: peter1111, Venustus, cryogent and 4 others
kC77 said:
Hi its the IDS (intrusion detection system) built into my gateway (udm pro) it flags up and blocks malicious traffic, it was the alerts from that during the test that let me know the machine was compromised.
i would imagine without this, many of these failure tests from Bit defender/Kaspersky would of been a lot worse as the payloads could of got delivered without this on

you can customize what it detects and have this allowed disallowed etc on different vlans...
View attachment 265441View attachment 265440
Click to expand...

Wow that is awesome. I may look into this at some point. Cheers!
 
  • Like
Reactions: Venustus, cryogent and kC77
Trooper said:
Wow that is awesome. I may look into this at some point. Cheers!
Click to expand...
you could also look into crowdsec which is a cloud IPS system CrowdSec, the open-source & collaborative IPS (not sure on your linux skills) but you could possibly run it up on a raspberry pi.... Ive never used it but if i didnt have the one inbuilt to the ubiqiti Id have a go at it
 
  • Like
Reactions: Venustus and Trooper
  • Like
Reactions: Venustus
pxxb1 said:
Interesting.
Care to test everybodys favourite here on MT, WiseVector StopX?
Click to expand...
Hi i already have given that a go last week and it did well! (didnt record any test though) Im personally not fan of having all your data trundled off to china!
but its detection's were spot on!
Will give it another go tomorrow!
 
  • Like
Reactions: Venustus, ChoiceVoice and Trooper
kC77 said:
Hi i already have given that a go last week and it did well! (didnt record any test though) Im personally not fan of having all your data trundled off to china!
but its detection's were spot on!
Will give it another go tomorrow!
Click to expand...

Looking forward to it, as i am sure many others do.
 
  • Like
Reactions: Venustus and kC77
Shadowra said:
You'll end up competing with me :D

(Just kidding, I'm glad to see new testers, especially since we have a different approach :) )
Click to expand...
Hi Im not trying to compete... my testing is way more crude, I dont test the web protections/features/extras I only run samples against an av engine, and ideally like to see 0 executions.... that for me is a pass.
its amazing how many products cannot do this.
I also am probably strange in that I personally dont find an antivirus that important.... (layering protections/gateway/vlans/adblocks/piholes/dns/os updates/srp/hardening OS/firmwares & safe browsing & common sense all come before an AV for me)
 
Last edited:
  • Like
Reactions: peter1111, Venustus, SeriousHoax and 4 others
kC77 said:
Hi Im not trying to compete... my testing is way more crude, I dont test the web protections/features/extras I only run samples against an av engine, and ideally like to see 0 executions.... that for me is a pass.
its amazing how many products cannot do this.
I also am probably strange in that I personally dont find an antivirus that important.... (layering protections/gateway/vlans/adblocks/piholes/dns/os updates/srp/hardening OS/firmwares & safe browsing & common sense all come before an AV for me)
Click to expand...

I was joking, I even followed you :P
 
  • Like
Reactions: peter1111, Kongo, Venustus and 1 other person
kC77 said:
Hi Im not trying to compete... my testing is way more crude, I dont test the web protections/features/extras I only run samples against an av engine, and ideally like to see 0 executions.... that for me is a pass.
its amazing how many products cannot do this.
I also am probably strange in that I personally dont find an antivirus that important.... (layering protections/gateway/vlans/adblocks/piholes/dns/os updates/srp/hardening OS/firmwares & safe browsing & common sense all come before an AV for me)
Click to expand...

Do you test also non-PE files, like scripts, documents, document templates, document Add-ins, ... .?
 
  • Like
Reactions: Venustus, SeriousHoax, Trooper and 1 other person
Andy Ful said:
Do you test also non-PE files, like scripts, documents, document templates, document Add-ins, ... .?
Click to expand...
Hi Andy not in this test its pureley .exe only, i actually only setup the test vm to test defender and hardening with .exe but it grew arms and legs!
but i do have plenty of vbs/batch/xlsx/dlls samples, im sure results would be totally different with each
 
  • Like
Reactions: Venustus, SeriousHoax, Trooper and 1 other person
kC77 said:
Hi Andy not in this test its pureley .exe only, i actually only setup the test vm to test defender and hardening with .exe but it grew arms and legs!
but i do have plenty of vbs/batch/xlsx/dlls samples, im sure results would be totally different with each
Click to expand...
I posted here, because pure EXE tests cannot be easily interpreted as protection tests. A better AV can get systematically worse results in such tests, if the samples are not extremely fresh.
 
  • Like
  • Applause
Reactions: Venustus, harlan4096, SeriousHoax and 3 others
Andy Ful said:
I posted here, because pure EXE tests cannot be easily interpreted as protection tests. A better AV can get systematically worse results in such tests, if the samples are not extremely fresh.
Click to expand...
Understood, I only really use malware bazaar as its free and easy and no registration, and while samples are added there hourly/daily im not sure just how "fresh" they are .... but all of today's tests had today;s samples from there aswell as the pack from the past 10+days
 
  • Like
Reactions: Venustus, Andy Ful and SeriousHoax
kC77 said:
Understood, I only really use malware bazaar as its free and easy and no registration, and while samples are added there hourly/daily im not sure just how "fresh" they are .... but all of today's tests had today;s samples from there aswell as the pack from the past 10+days
Click to expand...

The reaction of the AV to the successful infection can be very quick nowadays (usually from a few minutes to a few hours). The test samples are often much older.
The pure EXE test favors AVs that depend more on EXE detections compared to some other AVs that can depend more on non-EXE detections. Non-EXE detections can prevent many infections via EXE payloads.
Such tests usually show only the difference in a protection method, but can hardly show the protection strength. This is especially true for AVs that get very good results in Real-World tests.

Edit.
It would be much easier to interpret pure EXE tests if the samples were related to initial EXE malware (payloads excluded).
 
Last edited:
  • Like
Reactions: Venustus, RansomwareRemediation and kC77

You may also like...