Hi IBK,
Many thanks for coming here and taking your time to respond. It's always good to see you here (for starters: IBK is the person behind Av-Comparatives.org).
1) only about the half is pointing directly to binaries/files. The rest are exploits. In your misses you for sure also encountered some exploits and not only direct links. The "problem" is (and it is even written in the report) that practically all products (including of course Avast) are good are blocking/detecting exploits/drive-by downloads. That's also why the % are so high. If you look at the latest research of Microsoft, the biggest issue for users are not 0-day exploits (according to their paper its even close to 0%) but social-engineered malware, which includes also tricking users in clicking on links pointing to files. If you miss malware from the web, the test will and does reflect that. But I am glad to hear that the next version will improve further in this regard.
Fair enough. Social engineering for sure is an important attack vector, and can indeed lead to users directly running binaries. However, I don't think that a typical social engineered attack does that (have the user download and manually run a binary).
BTW would you mind sharing a link to that MS report you're referring to?
2) too less samples: others use 10 samples for such a test and base ratings based on that. We use usually 50x that size. Arguing that sample size is too small doesn't sound fair. If it would be 1 million someone would say "who surfs to 1 million malicious sites...?" missing the whole point.
All I was saying that Avast missed 18 samples while e.g. product B and product C missed 11 and 10, respectively. Without talking about other tests (which of course deserve same - or even bigger - criticism also) I'm just questioning the statistical relevance of the numbers. No pun intended.
3) How user-dependent cases are interpreted is up to the user. I do not believe that a product which would ask the user for everything should get the same like a product which is able to distinguish between malware and goodware without letting the decision up to the user. Anyway, only on chart2 you can sort based on the green bar. In chart3 you can combine blocked+userdependent.
This is probably the part where I'm most frustrated with the test. I just somehow disagree with the yellow category, simply because it tries to encompass all cases where the user has some control over the final decision. In the case of avast autosandbox, the message is so imperative, and has such a clear recommended action that I don't quite see a user deliberately overriding the default decision and actually getting infected. But anyway, as I've already said, we're refining the Autosandbox in v7 and so we'll probably move these files to the green category.
4) I expected that also Whole Product Dynamic Tests would be criticized (like any other test) in future if the scores are unfavorable for someone, despite the internal promotion for such sophisticated tests.
And that's fine, isn't it? Criticism is generally a good thing, if it is material.
Thanks
Vlk