But we are talking about auditing test results (some kind of scientific research), not an occasional incident; we have to develop and stick to a "reference" standard.
Question malware found
- Thread starter classicaran
- Start date
- Featured
- Status
The core issue here is that we are comparing two fundamentally different tools designed for distinct purposes, which makes any direct comparison of their 'engines' invalid. Furthermore, I disregard test results that rely on improper testing methodologies. My approach is grounded in practical experience. I've successfully cleaned infections using on-demand tools like NPE and, in complex cases, I prefer to rely on my own expertise, utilizing Sysinternals tools for a manual, surgical hunt-and-fix operation within the file system.
Me tool; using cleaning, on-demand scanner as an audit tool is not the proper choice.
You audit a full AV performance, so you need a comparable "full" AV to assess its detections and blocks.
That is why I consider all test results as "approximation" rather than "absolute".
I used NPE once to know how it works without suspecting infection; it took more than 10 hours to scan drives c and d, and did not detect anything.
I do not prefer on-demand scanner; either to use a good real-time protection, or if suspecting being infected, re-install Windows (takes much less time than on-deman scan).
For a full audit, an on-demand scanner is the wrong tool, but for proving a specific failure, it is the perfect tool.
With that in mind, could you explain how the tests you originally cited, the ones that led you to claim the Norton Security engine was 'better' than NPE's, were methodologically sound?
The proper question: the ones that led you to claim NPE is better than Kaspersky permium to be used after K finishes its job to assess the efficiency of K!
So you agree using NPE and on-deman scanner is not the proper method for testing full AV products?It would be if I would have stated that.
The forum owner @Jack uses AI to build posts, and has a forum bot. If it's good enough for him to use kinda thing, ya dig.
Instead of twisting things just admit you were wrong how freaking hard is that. None of us know everything in this field and could never claim to especially with how it evolves. Some of us though are smart enough to research and keep up with these changes instead of posting dribble.
Think of an antivirus like your bodyguard. The more weapons it can use to protect you, the better because its main job is to keep you safe. Whereas, a second opinion scanner is just an investigator who comes after a crime to investigate and get information about it. It only needs a pen and a notebook because it doesn't care about you in the end.
Just for a quick FYI for the people who demand forensic analysis. Such services are in the $$$$$$ a day range. A team of 2 people or more travels from somewhere and spends time in cosy (if possible) nearby hotels and have 3-4 meals, often in Michelin star restaurants. And for all that, guess who is paying.
So demanding that antivirus testers (even those professional ones) perform forensic analysis to test whether the AV missed a half-dead Trojan is on the absurd side.
So demanding that antivirus testers (even those professional ones) perform forensic analysis to test whether the AV missed a half-dead Trojan is on the absurd side.
What if a zero-day malware sample missed by full AV (which has signatures and behavioral analysis), how is on-deman scanner will detect with only signatures?
I assume to get what slipped through an AV, I should use AV with more tools and has better implementation of those tools.
It's not a matter of whether it's sufficient or not, but rather a matter of the product's use case. Some antiviruses rely more on the cloud than signatures, but for a second scanner that uses cloud analysis, it makes it easier to ensure that signatures are fresh and will be lighter on resources (rather than downloading about 400-800MB with each signature update).
I know it will cost and never asked a tester to use.
But I should not take as granted that McAfee missed a sample and NPE detected it; may be McAfee is right (true negative) and NPE is wrong (flase positive).
Exactly; you got it.
It is easier, but not optimal.
The malware tester should first take care of ensuring that the sample is malicious, actively working (C&Cs are not dead so the full behaviour can be realised) and they should ensure no other protections (like those on a router level for example) or built-in browser detections interfere with the test.
In this case a miss is a miss.
However, the theory on paper and the execution are 2 different things.
Agree; so the tester is not waiting for running NPE and MB at the end of the test to tell that the AV under testing missed a "ture" malicious sample.
How the tester get sure before starting the sample is malicious? by analysing its code, behavior, and effect; not by on-deman scanner telling.
It never found any Malware, it did cause more problems than it ever solved as it never found anything but with lots of engines you may get more FP's, in the end after years I gave up using it as it seems to me times have changed - Actually one of the prompts was some time on here it was in my profile & a mod did ask has it found anything, along with my thoughts I eventually ditched it. Just how it was with me, we all have our own thoughts... I had the Realtime Pro version. I've used others similar, but with not much use being honest, in Realtime that is.
Reverse engineering the sample for this purpose is not necessary, it is necessary when you will be writing protections.
A sandbox report must be analysed (just as I created a whole engine for that which got put on the side as I’m working on something else).
It will need human analysis.
I need your opinion; what is the gain of running on-deman scanner after the AV under testing finishes, while the tester has examined the samples before testing, and is quite sure they are malicious?
Why not just say AV tested missed 5 out of 100?
- Status
You may also like...
-
-
Testing Orion Malware Cleaner Designed by Me- Started by Trident
- Replies: 8
-
Help Needed: Suspicious Activity & Possible Malware on Windows 10 PC- Started by Thomas Ellias
- Replies: 4
-
40+ Passwords Found in Data Breach - Help Me Understand What Actually Happened- Started by vaultedlogic
- Replies: 24
-
Testing real-time protection of antiviruses with 10.124 Sample- Started by Dexter_Morgan31
- Replies: 120