App Review Kingsoft Antivirus SP 5 Test(MalwareDoctor)

[MDTechVideos]

 

[loveboy_lion]

Next time plz try doing a scan with the antivirus you are testing after infecting before scanning with MBAM hitman pro and so on
Thanks

 

[Plexx]

Pretty much what lovelyboy said.
If the machine is taking so long to reach due to an infection, you can still restart the system and take it from there.

It happened to me several times. I only used MBAM or a rootkit remover to remove a specific infection if the system becomes unbootable. Other than that, after links test, the users usually do a pack scan, then run infection. Restart if needed and then full scan with the AV solution. Only after cleaning with the solution you are reviewing MBAM/EEK/SAS/HMP are used to give the user an Idea. Mind you SAS will not be a good option on its own. You can still use it but prepare to use other tools just for the user who is viewing to have an idea.

 

[MDTechVideos]

Pretty much what lovelyboy said.
If the machine is taking so long to reach due to an infection, you can still restart the system and take it from there.

Restart if needed and then full scan with the AV solution. Only after cleaning with the solution you are reviewing MBAM/EEK/SAS/HMP are used to give the user an Idea. Mind you SAS will not be a good option on its own. You can still use it but prepare to use other tools just for the user who is viewing to have an idea.

I restarted several times and the machine was becoming less and less responsive with each re-start. In response to loverboy_lion's request, I am basically doing a prevention test. Maybe if Zonealarm didn't say every single file was safe before I downloaded it(which it did), I might have given it a chance to scan the machine before using MBAM. I could not even finish a scan with MBAM because the machine was so unresponsive.

Also, I should note this is the second time I did a full review on Zonealarm. I did pretty much the same exact test about a week ago, but did not publish it. The results were strikingly familiar to today's test. Not trying to get anybody mad at me here because I truly appreciate comments and suggestions here in the forums, but I think everyone got the jist of the product I was testing and my opinions about it. Sorry I could not finish the entire review that I was planning(going to hopefully release another one today), but sometimes things do not go according to plan.

Thank you for your understanding.

 

[Plexx]

Pretty much what lovelyboy said.
If the machine is taking so long to reach due to an infection, you can still restart the system and take it from there.

Restart if needed and then full scan with the AV solution. Only after cleaning with the solution you are reviewing MBAM/EEK/SAS/HMP are used to give the user an Idea. Mind you SAS will not be a good option on its own. You can still use it but prepare to use other tools just for the user who is viewing to have an idea.

I restarted several times and the machine was becoming less and less responsive with each re-start. In response to loverboy_lion's request, I am basically doing a prevention test. Maybe if Zonealarm didn't say every single file was safe before I downloaded it(which it did), I might have given it a chance to scan the machine before using MBAM. I could not even finish a scan with MBAM because the machine was so unresponsive.

Also, I should note this is the second time I did a full review on Zonealarm. I did pretty much the same exact test about a week ago, but did not publish it. The results were strikingly familiar to today's test. Not trying to get anybody mad at me here because I truly appreciate comments and suggestions here in the forums, but I think everyone got the jist of the product I was testing and my opinions about it. Sorry I could not finish the entire review that I was planning(going to hopefully release another one today), but sometimes things do not go according to plan.

Thank you for your understanding.

Sorry if I come across confused, but are we talking about Kingsoft AV or ZoneAlarm?

One thing to note: If the system is less and less responsive, you can always "kill" the running infections via Killswitch (hide safe processes and graphs (another suggestion)). Also check Autoruns by CCE to see if there are any specific infections set at boot. You can still disable those without removing the infection which will not interfere with the results in any ways since you have not removed the infection but simply disable the autostart.


Doing a video review/test on a product or a combo of products in detection/prevention (zero day or unknown samples) will unfortunately take you quite some time. You then have the unfortunate scan times which the normal user will see the video paused.

My longest review up to date on text and video were MSE (text) and the recent AhnLab V3 (video/text).

Sometimes when you get an infection and your system is nearly crippled, you can still remove the culprit but be sure to warn the users in some way what was done and briefly how it was done.

 

[MDTechVideos]

Sorry if I come across confused, but are we talking about Kingsoft AV or ZoneAlarm?

Unbelievable. Thanks for catching that Biozfear because I can not believe I was talking about ZoneAlarm(just did a review on it today) when this thread is about Kingsoft. We'll in that case I appreciate your suggestions and will try to implement them to the best of my ability in the next review.

 

[loveboy_lion]

for some reason i am having mixed ideas about the test since
1) for some reason there were no alerts from kingsoft at all in your test (except 2) not sure why (since after your review i threw 20 undetected malware files at kingsoft and almost 18 out of 20 of them gave a popup from kingsoft for being suspicious etc)
2) you did not scan the system after infection with kingsoft (if the pc was not booting then it was understood but since the pc was booting you should have done the scan with kingsoft)
3) i know that its really time consuming testing security suites but when testing any suite you should try cleaning the system with the antivirus being tested as much as possible to see the actual effectiveness of the product being tested

Note this is not a criticism its more of a recommendation for your future test
Thanks

 

[MDTechVideos]

for some reason i am having mixed ideas about the test since
1) for some reason there were no alerts from kingsoft at all in your test (except 2) not sure why (since after your review i threw 20 undetected malware files at kingsoft and almost 18 out of 20 of them gave a popup from kingsoft for being suspicious etc)
2) you did not scan the system after infection with kingsoft (if the pc was not booting then it was understood but since the pc was booting you should have done the scan with kingsoft)
3) i know that its really time consuming testing security suites but when testing any suite you should try cleaning the system with the antivirus being tested as much as possible to see the actual effectiveness of the product being tested

Note this is not a criticism its more of a recommendation for your future test
Thanks

I hope you know from all my vids in the past, present and future that they are non-biased, always honest test and I would put the exact same links against every AV, but unfortunately no av-tester can have that luxury. I try to be fair with each product, and always leave all settings on default as they come stock. Also, as I mistakenly said talking about Zonealarm but the same applies for Kingsoft, I am trying to test prevention abilities more-so than ability to clean infections from an already infected machine that the av let through.
I am curious, when you said I should "clean the system after infection" did you mean after the web-based portion or the execution of unknown samples, or perhaps both?

 

[Plexx]

for some reason i am having mixed ideas about the test since
1) for some reason there were no alerts from kingsoft at all in your test (except 2) not sure why (since after your review i threw 20 undetected malware files at kingsoft and almost 18 out of 20 of them gave a popup from kingsoft for being suspicious etc)
2) you did not scan the system after infection with kingsoft (if the pc was not booting then it was understood but since the pc was booting you should have done the scan with kingsoft)
3) i know that its really time consuming testing security suites but when testing any suite you should try cleaning the system with the antivirus being tested as much as possible to see the actual effectiveness of the product being tested

Note this is not a criticism its more of a recommendation for your future test
Thanks

I hope you know from all my vids in the past, present and future that they are non-biased, always honest test and I would put the exact same links against every AV, but unfortunately no av-tester can have that luxury. I try to be fair with each product, and always leave all settings on default as they come stock. Also, as I mistakenly said talking about Zonealarm but the same applies for Kingsoft, I am trying to test prevention abilities more-so than ability to clean infections from an already infected machine that the av let through.
I am curious, when you said I should "clean the system after infection" did you mean after the web-based portion or the execution of unknown samples, or perhaps both?

What lovelyboy is referring to is after the prevention test.

It is basically pointless simply testing detection against live zero day links and samples if you do not show the user what are the solution's cleaning capabilities, regardless if it takes a long time or a second to clean.

If you wish, you can still do simply detection/prevention test without cleaning the system with the actual AV but please give a breakdown of what you will do at the beginning of the video. Furthermore, most viewers are interested in actually how well a product can protect and in case of infection, how well it can clean it.

MBAM/EEK/CCE/HMP are mainly used in such test so the user can have an idea of what the main solution missed.

If you wish, you can have a look at Languy99 and ThePCSecurity videos for an idea. Note that ThePCSecurity also does web links test only on some products.

 

[loveboy_lion]

by cleaning the system i meant after infection by both web based and execution of unknown samples
and i am sure you are honest and unbiased anyways best of luck and have fun with your reviews
thanks

 

[HeffeD]

It is basically pointless simply testing detection against live zero day links and samples if you do not show the user what are the solution's cleaning capabilities, regardless if it takes a long time or a second to clean.

Unless the product has a cloud component, I would expect the real-time and static detections to be the same, as they are using the same AV engine and virus definitions.

In other words, if the product let the malware in to begin with, I don't expect a scan that is run after the infection to now magically detect the malware.

Or am I misunderstanding what you're saying?

 

[Plexx]

It is basically pointless simply testing detection against live zero day links and samples if you do not show the user what are the solution's cleaning capabilities, regardless if it takes a long time or a second to clean.

Unless the product has a cloud component, I would expect the real-time and static detections to be the same, as they are using the same AV engine and virus definitions.

In other words, if the product let the malware in to begin with, I don't expect a scan that is run after the infection to now magically detect the malware.

Or am I misunderstanding what you're saying?

That is correct. I should have specified about the cloud component.

But now that I think about it, don't some products despite not having the signatures/virus definitions for some infections are able to "match it" to other known infections based on heuristics?

Maybe I am wrong here.

 

[HeffeD]

But now that I think about it, don't some products despite not having the signatures/virus definitions for some infections are able to "match it" to other known infections based on heuristics?

Sure, but it's the same result. The AV was monitoring the infection as it was being installed. If the installation didn't trigger a heuristic detection, why would it trigger the heuristics after the malware is installed?

 

[loveboy_lion]

On default settings kingsoft realtime scanner doesnt scan all files as shown in screenshot below but it does scan all files during manual scan in default settings
Kingsoft is more like a companion antivirus in default settings
Hope you get the point
Thanks

 

[Plexx]

Was ESET's In Depth Scan defaults with both Potentially Unwanted Applications and Potentially Unsafe Applications ticked or just the unwanted ones are ticked?

Reason I ask is because ESET's Real Time protection is using with unsafe ticked but unwanted unticked (that is if the user selects to install and enable detection of unwanted applications).

 

[HeffeD]

On default settings kingsoft realtime scanner doesnt scan all files as shown in screenshot below but it does scan all files during manual scan in default settings
Kingsoft is more like a companion antivirus in default settings
Hope you get the point
Thanks

It's a little unclear to me from the screenshots just what the real-time settings are, and what the manual settings are. I know you've labeled them, but how do you know this is the case, as the GUI doesn't specify?

In any event, what is the point of running an AV that has default real-time settings that don't scan every incoming file? :s

 

[loveboy_lion]

Was ESET's In Depth Scan defaults with both Potentially Unwanted Applications and Potentially Unsafe Applications ticked or just the unwanted ones are ticked?

Reason I ask is because ESET's Real Time protection is using with unsafe ticked but unwanted unticked (that is if the user selects to install and enable detection of unwanted applications).

I enable both (potentially unwanted applications) and (potentially unsafe applications)
And IF you Do a manual scan i prefer it to no cleaning so that you quarantine all detected files instead of repairing
except that everything is default

 

[loveboy_lion]

On default settings kingsoft realtime scanner doesnt scan all files as shown in screenshot below but it does scan all files during manual scan in default settings
Kingsoft is more like a companion antivirus in default settings
Hope you get the point
Thanks

It's a little unclear to me from the screenshots just what the real-time settings are, and what the manual settings are. I know you've labeled them, but how do you know this is the case, as the GUI doesn't specify?

In any event, what is the point of running an AV that has default real-time settings that don't scan every incoming file? :s

1) the idea behind kingsoft using these settings was that the first wanted to promote their free antivirus as a companion antivirus since it was new and was not good enough as compared to other free antivirus in its earlier stage
2) since most of the users still use it as a companion antivirus they have not changed this settings since it would slow down the computer if there was another antivirus installed

EDIT:
In any event, what is the point of running an AV that has default real-time settings that don't scan every incoming file? :s

only thing that is not working in default settings is basically the behavior blocker and kingsoft not monitoring and scanning all files except that all other modules of kingsoft work as they should even in default settings

This is the realtime protection settings you can clearly see he difference in the GUI between QUICK monitor and Standard monitor

 

[HeffeD]

This is the realtime protection settings you can clearly see he difference in the GUI between QUICK monitor and Standard monitor

Yea, I saw the screenshot when you posted it previously.

An no, the GUI isn't clearing explaining the difference between the two.

Sure, the Standard Monitor says that it monitors the access behavior of all files, but the Quick Monitor says that it efficiently blocks inbound attacks and execution of viruses. If it's not monitoring every incoming file, this statement has to be incorrect.

 

[loveboy_lion]

This is the realtime protection settings you can clearly see he difference in the GUI between QUICK monitor and Standard monitor

Yea, I saw the screenshot when you posted it previously.

An no, the GUI isn't clearing explaining the difference between the two.

Sure, the Standard Monitor says that it monitors the access behavior of all files, but the Quick Monitor says that it efficiently blocks inbound attacks and execution of viruses. If it's not monitoring every incoming file, this statement has to be incorrect.

The same thing was also posted on kingsoft forum by a user and for some reason there was no reply and the topic was deleted
This was reported with the previous version will ask on their forum hope they give reply
But yes you are right the settings description given on quick monitor is misleading and should be corrected
Thanks