Avast WEBforum

Other => General Topics => Topic started by: RejZoR on August 31, 2007, 11:43:26 PM

Title: AV-Comparative August 2007 results are up!
Post by: RejZoR on August 31, 2007, 11:43:26 PM
http://www.av-comparatives.org

Only weakness i can see is polymorphic malware. Other results were good enough.
Title: Re: AV-Comparative August 2007 results are up!
Post by: bob3160 on August 31, 2007, 11:55:19 PM
I see a lot of Advanced+ ratings but avast! is still only at Advanced.
The good thing is that avast! isn't rated as Standard as some of the others are.
This does indicate however that Alwil has some work to do to reach the top.
Title: Re: AV-Comparative August 2007 results are up!
Post by: Rafel on September 01, 2007, 12:44:38 AM
There are a lot of Advanced+.
I hope in the future will be A+.
But, there are A+ eat your resources.
I prefer a lighter good Av and no an A+ slow down my little machine :D

GO AVAST!! FUTURE IS YOURS.
Title: Re: AV-Comparative August 2007 results are up!
Post by: Lisandro on September 01, 2007, 03:53:02 AM
Only weakness i can see is polymorphic malware.
What is the solution? Heuristic?
What would Alwil do?
Isn't this an anwser? http://forum.avast.com/index.php?topic=30082.msg249209#msg249209
Title: Re: AV-Comparative August 2007 results are up!
Post by: DavidR on September 01, 2007, 04:28:08 AM
I would say it if the new Poly Module that was mentioned in another topic that you gave the link to.
Title: Re: AV-Comparative August 2007 results are up!
Post by: RejZoR on September 01, 2007, 09:11:31 AM
Is this new poly engine suppose to come with VPS or as a program update?
Title: Re: AV-Comparative August 2007 results are up!
Post by: Vlk on September 01, 2007, 09:59:26 AM
I posted to the other thread (http://forum.avast.com/index.php?topic=30082.msg249302#new)
Title: Re: AV-Comparative August 2007 results are up!
Post by: Maxx_original on September 01, 2007, 12:41:08 PM
the poly module is a part of VPS and its first release was at the beginning of august (unfortunately after last comparatives deadline).. new detection capabilities bring a fixed detection of Parite virus, new detection of Driller/Tuareg (from Clementi's set), Allaple and Sinowal worms and a few others - you can see the VPS release details (the last one added was Win32:Tibser)... the detection of new Virut variant (spreading within last two weeks) will come asap and then will follow others (Cheburgen, Detnat etc).. ;)
Title: Re: AV-Comparative August 2007 results are up!
Post by: bob3160 on September 01, 2007, 04:03:06 PM
Vlk,
When and how will any of this additional protection be available to us ?
Title: Re: AV-Comparative August 2007 results are up!
Post by: Lisandro on September 01, 2007, 04:07:36 PM
Vlk, When and how will any of this additional protection be available to us ?
Bob... Vlk is saying that he does not want to make a predict or a schedule... I'm sure he will answer that these features will be available as soon they're finished and we (the forum guys) will be the first to test it...
Besides this, the polymorphic malware module is 'inside' of VPS so it is already available to us.
Title: Re: AV-Comparative August 2007 results are up!
Post by: the Tester on September 01, 2007, 10:51:11 PM
Hello.
I'm new to the forum and I'm using Avast Home.

A few questions/comments especially about the latest av-comparatives test.
I am a bit concerned about the poor showing by Avast in the polymorphic category.
I understand that this is already being addressed through updates(VPS)?
Is there a new version on the horizon?
If so,I'd like to be a beta tester.
Title: Re: AV-Comparative August 2007 results are up!
Post by: Lisandro on September 01, 2007, 11:04:15 PM
I understand that this is already being addressed through updates(VPS)?
It's being addressed by VPS. Although, we must expect further improvements on version 5.

Is there a new version on the horizon?
Yes. Version 5 is being baked to early next year.
Until there, there will be minor improvements on version 4.7.

If so,I'd like to be a beta tester.
Beta phase is released to forum users only, like you. Welcome.
Title: Re: AV-Comparative August 2007 results are up!
Post by: the Tester on September 01, 2007, 11:10:42 PM
Thanks for the quick replies Tech.
It's good to hear that Avast is addressing the polymorphic issue with updates now rather than just waiting for a later version.

I have read on the forum that Avast 5 will have heuristics.
That's an excellent idea!

Looking forward to beta testing next year.
Title: Re: AV-Comparative August 2007 results are up!
Post by: Lisandro on September 01, 2007, 11:13:50 PM
Looking forward to beta testing next year.
Why don't you enjoy the forum until there?
There are a lot of experience and knowledge to share, not just on avast, but in all security and applications fields.
Title: Re: AV-Comparative August 2007 results are up!
Post by: IBK on September 01, 2007, 11:21:47 PM
the poly module is a part of VPS and its first release was at the beginning of august (unfortunately after last comparatives deadline).. new detection capabilities bring a fixed detection of Parite virus, new detection of Driller/Tuareg (from Clementi's set), Allaple and Sinowal worms and a few others - you can see the VPS release details (the last one added was Win32:Tibser)... the detection of new Virut variant (spreading within last two weeks) will come asap and then will follow others (Cheburgen, Detnat etc).. ;)
tuareg: 62,5%
insane: 100%  :)
the rest of the ones from clementi's set is currently unchanged.
Title: Re: AV-Comparative August 2007 results are up!
Post by: the Tester on September 01, 2007, 11:24:06 PM
Looking forward to beta testing next year.
Why don't you enjoy the forum until there?
There are a lot of experience and knowledge to share, not just on avast, but in all security and applications fields.

I will.
I have an interest in Avast as a user and it's my recommendation to family and friends that need a quality free antivirus.
Glad to help where I can.
Title: Re: AV-Comparative August 2007 results are up!
Post by: Lisandro on September 01, 2007, 11:35:00 PM
tuareg: 62,5%
insane: 100%  :)
the rest of the ones from clementi's set is currently unchanged.
A little bit less technical and more people could start to imagine what are you talking about ::)
Title: Re: AV-Comparative August 2007 results are up!
Post by: IBK on September 01, 2007, 11:39:37 PM
i was talking about the improved poly detection; the detection of the 2 mentioned viruses is now respectivly higher than 4 weeks ago.
Title: Re: AV-Comparative August 2007 results are up!
Post by: RejZoR on September 01, 2007, 11:56:05 PM
Still not good enough. I expect no less than at least 50% coverage (100% detection that is) of mentioned samples (this means at least 6 samples being 100% detected). Still good to see some progress... 100% would be even better.
Title: Re: AV-Comparative August 2007 results are up!
Post by: JerryM on September 02, 2007, 12:23:54 AM
Looking forward to beta testing next year.
Why don't you enjoy the forum until there?
There are a lot of experience and knowledge to share, not just on avast, but in all security and applications fields.

Agreed. 8) 8)
I have found the folks here always ready to help.
I have not been concerned by the poor showing on the polymorphic tests. Maybe ignorance is bliss.
Jerry
Title: Re: AV-Comparative August 2007 results are up!
Post by: Maxx_original on September 02, 2007, 11:11:53 AM
ook.. Insane/Devir looks good... and about Tuareg/Driller - good to know the score, we must prepare more samples of this family and improve the detection.. thx to Andreas for a quick re-test of his poly set ;)..
Title: Re: AV-Comparative August 2007 results are up!
Post by: Maxx_original on September 02, 2007, 11:35:45 AM
Still not good enough. I expect no less than at least 50% coverage (100% detection that is) of mentioned samples (this means at least 6 samples being 100% detected). Still good to see some progress... 100% would be even better.

new poly module is included in VPS since august 13. and 25 detections were added till now.. a little progress is visible in "hardcore" polymorph table, but Andreas has many polymorphs in his set (Twinny, Legacy, Zaprom, Orez, KME.........) and we must detect them too, no matter if they are "visible" to ppl... so, the results of re-scan aren't bad, when you assign them to the ~2 weeks block starting from august 13...
Title: Re: AV-Comparative August 2007 results are up!
Post by: IBK on September 02, 2007, 01:03:54 PM
true. avast already shows a big improvement after 4 weeks when scanning the set of missed samples.
Title: Re: AV-Comparative August 2007 results are up!
Post by: Lisandro on September 02, 2007, 04:11:44 PM
true. avast already shows a big improvement after 4 weeks when scanning the set of missed samples.
Thanks IBK for the explanations.
Glad to see that avast policy is in the right direction.
Title: Re: AV-Comparative August 2007 results are up!
Post by: avatar2005 on September 02, 2007, 09:01:52 PM
Glad to see that avast policy is in the right direction.
Fully agree with that ;). Way to go AVAST! 8)
Title: Re: AV-Comparative August 2007 results are up!
Post by: Dwarden on September 04, 2007, 04:11:07 PM
IBK is any chance for tests to include support of unpackers like various install packers etc. ?
but i guess that's way too complicated and time eating
Title: Re: AV-Comparative August 2007 results are up!
Post by: igor on September 04, 2007, 05:06:27 PM
I don't think it's a good idea... It doesn't really matter whether an antivirus unpacks the packed archive (and detects the malware inside), or if it detects the malware from "ouside", using a signature taken from the packed installer itself.

So yes, it is nice to be able to unpack various archives, but "more unpacking" doesn't necessarily mean "more detection" (as many readers would probably assume, so the test might be rather misleading).
Title: Re: AV-Comparative August 2007 results are up!
Post by: Dwarden on September 04, 2007, 09:25:41 PM
yep it should be more like part of some bonus ondemand scan and features test :)
Title: Re: AV-Comparative August 2007 results are up!
Post by: Tonanet on September 05, 2007, 12:29:20 AM
I was wondering... Hmmm... Maybe I am Wrong...

But more unpackers means less signatures to detect a malware?

Lets say that malware x, has been packed with ten diferent packers creating ten different files (versions of malware)...If Avast has the 10 unpackers, it will only need 1 signature to detect them all. The unpackers will extract the malware from the pack, and the signature will detect it inside.

In the other way, if avast doesnt have some of the unpackers for some of the files that were packed, it will have to create another signature to detect each sample that doesnt have the related unpacker in avast, even the malware being the same, just packed with a different packer.

What I see is that with more packers, the pro active protection increase, as it will not be necessary to receive another update with a new signature of a know malware that was only packed with some other packer...

Am I right? This make sense?

Thanks for your time,

Elminster
Title: Re: AV-Comparative August 2007 results are up!
Post by: igor on September 05, 2007, 12:35:51 AM
The question is - how many (existing) variants of malware are just repacks of other, already detected, malware. If most malicious files are "new" - it probably won't be detected, no matter if it's unpacked or packed with any number of packers.
I can't say what's the reality - probably somewhere in between.
Title: Re: AV-Comparative August 2007 results are up!
Post by: Maxx_original on September 05, 2007, 09:49:15 AM
btw: the test of unpacking abilities needs a lot of manual work... where to get samples? of course, you can pack your own samples detected by all tested AV's and re-run the scan.. but you'll need hundreds of samples and only a few packers/cryptors have some cmdline interface and could be processed in batch... you must check all packed files for their unchanged functionality (run them in vmware and check each one)... ooh, and of course some malware packers are strictly private and you can't prepare samples of them.. the other way is to get samples from some public service (virtotal, jotti), but here comes another big problem - how to detect the packers and an exact version if possible? problem with testing occurs also here (virtotal is full of someway corrupted files)..