Battle Planned: Real-world Test of Trend Micro, ZoneAlarm, Eset and Webroot

[rashmi]

We should be kind to the author of this thread. Testing malware nowadays is a hard and thankless job.

Now I have to give my original comment a makeover, hunt down the ideal recipient and thread, and seamlessly insert my comment with precision! Talk about a hard and thankless job!

 

[Andy Ful]

Thanks guys.

 

[Adrian Ścibor]

If one day you'd like to see my test protocol, I'd be delighted to show it to you!

The only one I'll give credit to is @Adrian Ścibor , because it totally covers what I've mentioned.

Enjoy

I hadn't had enought time to read the detailed topic, I will answer at least - when it comes to testing protocols, transparency, and valid tests, the AMTSO have asked us of that and few other questions. The interview with AVLab will be published soon.

 

[Vitali Ortzi]

Your ubuntu affair won't last for long :-D

He got back to windows XD
anyway it's not really less secure then windows necessarily Linux | Madaidan's Insecurities

 

[Vitali Ortzi]

Recent claims have led to plan and execute a video-recorded real-world test that will test the solutions below:

• Webroot - highly advocated product. User claims that the product includes "sandbox"/"isolation"
• Trend Micro - claims include that me and Shadowra have tested it in unrealistic conditions
• ZoneAlarm - product was criticised and its users were deemed to have "insufficient evaluation skills"
• Eset - this will be included just to regulate the test -- it is a highly reputable and regarded product.

So the framework:
On the first stage, the products will be tested with several malicious and phishing links. I will put all links in an HTML page so I can just drag and drop on top of the browser and start clicking, instead of copy/pasting from a document. I will take extra care to remove PUPs and will pre-analyse everything on various sandboxes, to ensure it is malicious.

On the second stage, products will be tested against malware that I am actively hunting on my mac. This malware will be uploaded to a sharing portal and downloaded. I consider this to be a valid real world scenario -- attackers can for example, take over an Instagram account (happens very frequently) and share a malicious link there. You believe it is a trusted document coming from an acquaintance, so you rush to open it.
This malware as well will be in an HTML table so I can just click.

On the third stage, products will be tested against phishing and malicious documents that I am creating myself. These will be downloaded too. They will be as well on an HTML table, so I can just easily click.

No malware will be introduced through unrealistic means, such as malware packs.
If malware has been allowed to execute (not deleted right away), system will be monitored with Process explorer, potentially wireshark and will be scanned with Norton Power Eraser.

The framework predicts 2 verdicts only: pass and fail. Every product will be allowed to miss 1 phishing website and 0 malware samples to pass. (feedback?)

In terms of settings, I need your opinion.
ZoneAlarm (the criticised product) is a fully automated solution with no tweaks.It only allows components to be turned on and off but does not offer settings such as heuristics aggressiveness, anti-phishing aggressiveness, etc, My question is, should I in this case, tweak other products. How many users tweak their products really? I need feedback before I kickstart.

if you ever find time to do the test it will be awesome but i understand you are working on your business wich is more important then this test anyway wishing you success

 

[BSONE]

I think that the concensus here is that every currently supported Antivrus product is a viable solution. We just need to whittle them down to a top 5.