Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: PotatoMan on August 23, 2008, 03:57:24 PM

Title: I did some testing (Someone from Alwil should read this)
Post by: PotatoMan on August 23, 2008, 03:57:24 PM
Hey guys, PotatoMan here!

I recently did a test on the heuristics of avast! professinal 4.8, with today's detections.

I put the EICAR test string into notepad and saved it as free.com. Almost immediately the standard shield detected it. Good, everything is good right? I scanned it with Spybot and MalwareBytes - Same thing. Sweet! All security apps found it! Good so far.

I then uploaded it to virus total. All 36 engines detected it! Awesome!

But wait...

What if I modified the EICAR test string?

What if I changed three letters?

This is the unmodified test string
Code: [Select]
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
This is the modified one. (Look in the word standard)

Code: [Select]
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDING-ANTIVIRUS-TEST-FILE!$H+H*
I entered this in notepad and once again saved it as free.com.

Wait, something is not right here...

No warning? No popup? No loud and sudden "A virus has been detected"???

So I thought, something must be wrong with the standard shield. I scanned it with the on demand scanner. Nothing.

I then scanned with Spybot and MalwareBytes. Still nothing!

Wow, what is going on here?

These are the virus total results from the modified free.com.com

AhnLab-V3   2008.8.21.0   2008.08.22   -
AntiVir   7.8.1.23   2008.08.23   -
Authentium   5.1.0.4   2008.08.23   EICAR_Test_File
Avast   4.8.1195.0   2008.08.22   -
AVG   8.0.0.161   2008.08.22   -
BitDefender   7.2   2008.08.23   -
CAT-QuickHeal   9.50   2008.08.22   -
ClamAV   0.93.1   2008.08.23   -
DrWeb   4.44.0.09170   2008.08.23   -
eSafe   7.0.17.0   2008.08.21   -
eTrust-Vet   31.6.6039   2008.08.21   -
Ewido   4.0   2008.08.23   -
F-Prot   4.4.4.56   2008.08.23   EICAR_Test_File
F-Secure   7.60.13501.0   2008.08.23   -
Fortinet   3.14.0.0   2008.08.23   -
GData   2.0.7306.1023   2008.08.20   -
Ikarus   T3.1.1.34.0   2008.08.23   -
K7AntiVirus   7.10.425   2008.08.22   -
Kaspersky   7.0.0.125   2008.08.23   -
McAfee   5368   2008.08.22   -
Microsoft   1.3807   2008.08.23   -
NOD32v2   3382   2008.08.23   -
Norman   5.80.02   2008.08.22   -
Panda   9.0.0.4   2008.08.23   -
PCTools   4.4.2.0   2008.08.23   -
Prevx1   V2   2008.08.23   -
Rising   20.58.52.00   2008.08.23   EICAR-Test-File
Sophos   4.32.0   2008.08.23   -
Sunbelt   3.1.1575.1   2008.08.23   -
Symantec   10   2008.08.23   -
TheHacker   6.3.0.6.060   2008.08.23   -
TrendMicro   8.700.0.1004   2008.08.23   -
VBA32   3.12.8.4   2008.08.22   -
ViRobot   2008.8.22.1346   2008.08.22   -
VirusBuster   4.5.11.0   2008.08.23   -
Webwasher-Gateway   6.6.2   2008.08.23   -

Link: http://www.virustotal.com/analisis/8e55f210347ef61db097635888ef3fe5

This just shows how terrible heuristics are. I hope this is improved on in V5.

What is your guys opinions???
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: BJ_GeOrgE on August 23, 2008, 04:16:56 PM
well i thing that when u changed the letters eicar test stopped being a virus...thats why all the engines didnt detect it...the 2 or 3 AV that found it as a virus must have found false positives...heuristics doesnt work like that..(by modifing a "virus" u can make it not being a virus anymore..)
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: PotatoMan on August 23, 2008, 04:23:26 PM
well i thing that when u changed the letters eicar test stopped being a virus...thats why all the engines didnt detect it...the 2 or 3 AV that found it as a virus must have found false positives...heuristics doesnt work like that..(by modifing a "virus" u can make it not being a virus anymore..)

I think you don't understand. Do you know how Eicar is coded?

When you open EICAR, it displays the message, EICAR STANDARD ANTIVIRUS TEST FILE, I edited it so it would say EICAR STANDING ANTIVIRUS TEST FILE. All I did was change what it said, it still has the qualities of a virus.
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: ggf31416 on August 23, 2008, 04:34:20 PM
The EICAR test is not a virus.

Most AV don't detect modifications of the EICAR test except the ones allowed by the EICAR as the test was used by malware authors to fool users and analysts into believing that their malware was just a test.
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: RejZoR on August 23, 2008, 04:38:59 PM
There is a strict policy about EICAR. You can find it on their page. If modification isn't bound to those rules, AV not detecting it is not really the one to blame.
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: PotatoMan on August 23, 2008, 04:45:03 PM
There is a strict policy about EICAR. You can find it on their page. If modification isn't bound to those rules, AV not detecting it is not really the one to blame.

Changing three letters is not even a real modification, all it does is make the message say something different when the EICAR file is launched. I swear, does everyone think I am stupid? Have you ever heard of EICAR_TEST.Modified? I got this idea from a link on wikipedia by the way.
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: ggf31416 on August 23, 2008, 04:56:40 PM
Changing three letters is not even a real modification, all it does is make the message say something different when the EICAR file is launched. I swear, does everyone think I am stupid? Have you ever heard of EICAR_TEST.Modified? I got this idea from a link on wikipedia by the way.

The EICAR don't allow such modification, so most AV don't detect them for security reasons.
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: PotatoMan on August 23, 2008, 05:20:52 PM
Changing three letters is not even a real modification, all it does is make the message say something different when the EICAR file is launched. I swear, does everyone think I am stupid? Have you ever heard of EICAR_TEST.Modified? I got this idea from a link on wikipedia by the way.

The EICAR don't allow such modification, so most AV don't detect them for security reasons.

Well then there was no freaking point for doing this test, cause every member on this forum is going to do everything in there power to prove me wrong. Please lock this forum
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: BJ_GeOrgE on August 23, 2008, 05:45:11 PM
Changing three letters is not even a real modification, all it does is make the message say something different when the EICAR file is launched. I swear, does everyone think I am stupid? Have you ever heard of EICAR_TEST.Modified? I got this idea from a link on wikipedia by the way.

The EICAR don't allow such modification, so most AV don't detect them for security reasons.

Well then there was no freaking point for doing this test, cause every member on this forum is going to do everything in there power to prove me wrong. Please lock this forum

mate calm down...we dont want to prove u wrong and there is no reason of doing it..i just dont think that by modifing 3letters in eicar test u can test heuristics..its not reliable...it doesnt make sense..the virus is the code written in eicar..if u modify it it stops being a virus...if u modify a letter from a code inside a game,will the game work???no why?coz the code isnt right..maybe by doing other modifications u can test heuristics but i dont think that changing 3letters is the way..i wish u prove me wrong...i really do...check www.av-comparatives.org to see heuristics of each AV...
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: PotatoMan on August 23, 2008, 06:00:49 PM
Changing three letters is not even a real modification, all it does is make the message say something different when the EICAR file is launched. I swear, does everyone think I am stupid? Have you ever heard of EICAR_TEST.Modified? I got this idea from a link on wikipedia by the way.

The EICAR don't allow such modification, so most AV don't detect them for security reasons.

Well then there was no freaking point for doing this test, cause every member on this forum is going to do everything in there power to prove me wrong. Please lock this forum

mate calm down...we dont want to prove u wrong and there is no reason of doing it..i just dont think that by modifing 3letters in eicar test u can test heuristics..its not reliable...it doesnt make sense..the virus is the code written in eicar..if u modify it it stops being a virus...if u modify a letter from a code inside a game,will the game work???no why?coz the code isnt right..maybe by doing other modifications u can test heuristics but i dont think that changing 3letters is the way..i wish u prove me wrong...i really do...check www.av-comparatives.org to see heuristics of each AV...

I have a PhD in computer science and have been removing malware off of people's computers for three years now. I know what AV Comparitives is. According to AV Comparitives, avast! has a 29% Heuristic Detection of new malware. OK

If I code a virus in VBScript to show a popup saying

Your computer has a virus! Go to fakeavhere.com to fix this!!

Which would be

lol = msgbox ("Your computer has a virus! Please go to fakeavhere.com to fix this!" ,16, "Infection!")

Now If I modified it to say

Your computer has a trojan!

It would be

lol = msgbox ("Your computer has a trojan!" ,16, "Infection!")

Which would not make the popup not a popup, but would just make it say something different. This is what I did with EICAR.
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: YoKenny on August 23, 2008, 06:08:00 PM
Quote
I have a PhD in computer science and have been removing malware off of people's computers for three years now. I know what AV Comparitives is. According to AV Comparitives, avast! has a 29% Heuristic Detection of new malware. OK 
Sounds more like the pedantic ramblings of the resident curmudgeon ;)
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: BJ_GeOrgE on August 23, 2008, 06:11:31 PM


I have a PhD in computer science and have been removing malware off of people's computers for three years now. I know what AV Comparitives is. According to AV Comparitives, avast! has a 29% Heuristic Detection of new malware. OK

If I code a virus in VBScript to show a popup saying

Your computer has a virus! Go to fakeavhere.com to fix this!!

Which would be

lol = msgbox ("Your computer has a virus! Please go to fakeavhere.com to fix this!" ,16, "Infection!")

Now If I modified it to say

Your computer has a trojan!

It would be

lol = msgbox ("Your computer has a trojan!" ,16, "Infection!")

Which would not make the popup not a popup, but would just make it say something different. This is what I did with EICAR.

[/quote]
well i dont have any diploma in computer science since i'm only 18..u may be right since ure a computer expert..can u link any site that has a guide of doing such things?i like learning stuff like this  8)
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: YoKenny on August 23, 2008, 06:16:38 PM
Quote
well i dont have any diploma in computer science since i'm only 18..u may be right since ure a computer expert..can u link any site that has a guide of doing such things?i like learning stuff like this 
I learned from the master:
"So how did I get infected in the first place?" © Tony Klein
http://www.freedomlist.com/forum/viewtopic.php?t=22879
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: PotatoMan on August 23, 2008, 06:26:03 PM
Quote
I have a PhD in computer science and have been removing malware off of people's computers for three years now. I know what AV Comparitives is. According to AV Comparitives, avast! has a 29% Heuristic Detection of new malware. OK 
Sounds more like the pedantic ramblings of the resident curmudgeon ;)

Oh, how mature, bring on the parade of poetic insults, that is very insightful, well I don't find your masquerade funny in the slightest since.

Sounds more like the smart buttox ramblings of the resident know it all ;)
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: PapaSmurf on August 23, 2008, 06:34:06 PM
How about a little common sense..hmmm?
PotatoMan, I do understand what you are saying, and the little message mod you made to the test string.


Having said that, let's try a more sensible approach to the subject.
There are dozens of virus software. Why?
There are a whole handful of online comparisons, testers, blogs, info overload, all about the subject
of viruses. Again I ask...why?
There are entire support groups employed by anti-vir companies to deal with viruses, questions, product support...
same question..why?

The answer is very simple.
For every detection method, there is going to be some script kiddie who is going to figure a way around it.
Since this process is an ongoing affair with "who is smarter" running the show, anti-vir software is always going to be
a process in development, hence the constant updates to the virus database.
There is NO SUCH THING as the perfect anti-virus software. Also there is NO software available that is going to work 100% of the time with 100% of all viruses, old and unknown.
So, the end user has to decide which program works the best for them.
I personally use avast  because of its' modular construction. I like having some control over the different types of shields.
Others may prefer something else all together. The point is, you can rattle the alarm button all day long, it will not change these simple facts:
#1 All anti-virus products will always be "developing" better detection methods.
#2 For every detection method made, there WILL be a script kiddie to figure a way around it.
#3 Because of number 2, no anti-virus program is perfect.
#4 The only "PERFECT" method for not getting a virus is...do not surf the web. Download nothing into the system.

You can create all the alternative tests you want...(just like a script kiddie)..but in the end, I challenge you to find the "perfect" anti-vir software. It simply does not exist.
Just my two cents.
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: streetwolf on August 23, 2008, 06:44:57 PM
http://archive.cert.uni-stuttgart.de/bugtraq/2003/06/msg00251.html

Might be helpful in this discussion.
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: PotatoMan on August 23, 2008, 06:45:28 PM
I agree 99.99991%
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: PotatoMan on August 23, 2008, 06:47:36 PM
http://archive.cert.uni-stuttgart.de/bugtraq/2003/06/msg00251.html

Might be helpful in this discussion.

THAT IS THE LINK I GOT OFF OF WIKI!

That is the inspiration for this thread.

Now that someone else has done thesame thing, I guess I am not so stupid, hmm?
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: Mike Buxton on August 23, 2008, 07:14:39 PM
PotatoMan,

You admit to being a plagiarist. Thus, any degrees you may hold are not worth the paper they are written upon. Which non-English speaking institution(s) awarded your claimed qualifications?
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: PotatoMan on August 23, 2008, 07:33:48 PM
PotatoMan,

You admit to being a plagiarist. Thus, any degrees you may hold are not worth the paper they are written upon. Which non-English speaking institution(s) awarded your claimed qualifications?

O.K. Troll, I will play your way.

No, I did NOT take anything I wrote from above link, merely the ideal, and therefore your accusation of plagiarism is indeed void.

In the future, please make sure that you have read my whole post before proceeding to post stupid stuff.

I graduated from ITT Tech (see link) in 2007. itt-tech.edu/ with a PhD in Computer Science. Ever since 2005, three of my college friends have been running a business out of Toledo, removing Malware from computers.

Anything else?
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: gdiloren on August 23, 2008, 10:32:52 PM
Well, I have no diploma in Computer Science but I think someone can investigate by himself to stimulate assistance in malware fighting and that initiatives like PotatoMan may open new roads to research :-X
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: Mike Buxton on August 24, 2008, 12:26:55 AM
Hi Avast readers and writers,

Re: Plagiarism:

The evidence is damning: for proof type the word "standing" into a highlight search.
Go to the initial post at the top of this thread on page 1 and look for the highlight.
Then, go to the link kindly given by streetwolf in Reply # 15 at the top of this page;
where about half way down you will again see the word "standing" highlighted.

Then read the words arounds each of the hits or, if you have the time and inclination,
read everything thoroughly as PotatoMan demands and then draw your conclusions.

If PotatoMan understands the value of silence I will not make further comment here.

My regards


Title: Re: I did some testing (Someone from Alwil should read this)
Post by: jerry12 on August 24, 2008, 12:43:09 AM
you guys are way over my head i am just a old country boy from north carolina. ;D
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: PotatoMan on August 24, 2008, 08:07:41 AM
Hi Avast readers and writers,

Re: Plagiarism:

The evidence is damning: for proof type the word "standing" into a highlight search.
Go to the initial post at the top of this thread on page 1 and look for the highlight.
Then, go to the link kindly given by streetwolf in Reply # 15 at the top of this page;
where about half way down you will again see the word "standing" highlighted.

Then read the words arounds each of the hits or, if you have the time and inclination,
read everything thoroughly as PotatoMan demands and then draw your conclusions.

If PotatoMan understands the value of silence I will not make further comment here.

My regards





Wow, a couple words, that is so plagiarist of me, when I clearly stated I got this ideal from a link off of Wikipedia, yes, I did what the man did in that article, but I did it differently

Why must you insist on being a troll?

Well, I refuse to argue with someone that doesn't even know how to use the quote system.

I Agree 100% with gdiloren, wow, the first time on this forum that someone agrees with me/compliments me, atleast, that is how I took it with the "may open new roads of research.

And I hate to be so ready to throw a PhD in someone's face, but he questioned my qualifications, so I answered those questions.

I swear, I would make a good lawyer, hmmm??
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: PapaSmurf on August 24, 2008, 08:11:43 AM
Well, I have no diploma in Computer Science but I think someone can investigate by himself to stimulate assistance in malware fighting and that initiatives like PotatoMan may open new roads to research :-X
Well said. I learn new things just reading thru this forum.
In addition to ways that viruses can mutate, there is also the matter of
opening up holes in your system intentionally . For example, online gaming.
Not only does an anti-virus software have to be designed to detect all sorts of
malicious behavior, it must also be given the ability to allow such behavior that
could lead to malicious behavior. My hat is off to any of the hundreds of software
engineers that have to stay on top of this every day. ;D
Thanks to the avast! engineers for creating a really good product..(gratuitous sucking up)
BTW, any screen shots of version 5 available?  ;D ;D ;D
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: PotatoMan on August 24, 2008, 09:38:59 AM
Well, I have no diploma in Computer Science but I think someone can investigate by himself to stimulate assistance in malware fighting and that initiatives like PotatoMan may open new roads to research :-X
Well said. I learn new things just reading thru this forum.
In addition to ways that viruses can mutate, there is also the matter of
opening up holes in your system intentionally . For example, online gaming.
Not only does an anti-virus software have to be designed to detect all sorts of
malicious behavior, it must also be given the ability to allow such behavior that
could lead to malicious behavior. My hat is off to any of the hundreds of software
engineers that have to stay on top of this every day. ;D
Thanks to the avast! engineers for creating a really good product..(gratuitous sucking up)
BTW, any screen shots of version 5 available?  ;D ;D ;D

I wish :D :D :D :D ;D :D
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: RejZoR on August 24, 2008, 10:24:54 AM
There is a strict policy about EICAR. You can find it on their page. If modification isn't bound to those rules, AV not detecting it is not really the one to blame.

Changing three letters is not even a real modification, all it does is make the message say something different when the EICAR file is launched. I swear, does everyone think I am stupid? Have you ever heard of EICAR_TEST.Modified? I got this idea from a link on wikipedia by the way.

No, we don't think you're stupid, but we do think you have problems understanding what you read (if you have read anything at all).

Quote from EICAR sample site:
Quote
The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters. The only whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z. To keep things simple the file uses only upper case letters, digits and punctuation marks, and does not include spaces. The only thing to watch out for when typing in the test file is that the third character is the capital letter "O", not the digit zero.

If AV doesn't detect the sample which is not bound to these rules it's not AV's fault not to detect that.
And yes, changing three letters is not even a real modification. But then again, EICAR is not a real malware either so that doesn't apply.
Ppl miss the point of EICAR sample alone. It's not there to test antivirus heuristics capability or generic detection.
It's solely for testing if AV detects anything at all. If it does, it's working. If it's not something is wrong. Could be the POP3 scaning part, maybe filesystem filter, maybe something third, depends on what you're testing. Thats what EICAR is really meant for.
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: PotatoMan on August 24, 2008, 11:19:51 AM
There is a strict policy about EICAR. You can find it on their page. If modification isn't bound to those rules, AV not detecting it is not really the one to blame.

Changing three letters is not even a real modification, all it does is make the message say something different when the EICAR file is launched. I swear, does everyone think I am stupid? Have you ever heard of EICAR_TEST.Modified? I got this idea from a link on wikipedia by the way.

No, we don't think you're stupid, but we do think you have problems understanding what you read (if you have read anything at all).

Quote from EICAR sample site:
Quote
The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters. The only whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z. To keep things simple the file uses only upper case letters, digits and punctuation marks, and does not include spaces. The only thing to watch out for when typing in the test file is that the third character is the capital letter "O", not the digit zero.

If AV doesn't detect the sample which is not bound to these rules it's not AV's fault not to detect that.
And yes, changing three letters is not even a real modification. But then again, EICAR is not a real malware either so that doesn't apply.
Ppl miss the point of EICAR sample alone. It's not there to test antivirus heuristics capability or generic detection.
It's solely for testing if AV detects anything at all. If it does, it's working. If it's not something is wrong. Could be the POP3 scaning part, maybe filesystem filter, maybe something third, depends on what you're testing. Thats what EICAR is really meant for.

Even so, if Rising, F-Prot, and Authentium STILL detect it, that has to mean something, right? If avast! doesnt detect a three char modification, and those three do, avast! must only be recognizing certain parts of file?

Rising, Authentium, and Fprot for all my knowledge use advanced heuristics.

See my reply about VBscripting
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: RejZoR on August 24, 2008, 12:06:35 PM
You should ask yourself why only those 3 are detecting it and NO one else...
My answer is that all others follow the very specific detection rules for EICAR and these 3 AV's don't.
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: PotatoMan on August 24, 2008, 01:11:53 PM
avast! still needs better heuristics
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: RejZoR on August 24, 2008, 01:18:49 PM
It may or it may not, but that still doesn't have much to do with EICAR specifically.
It just means those three do not follow EICAR rules as designed by EICAR creators.
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: essexboy on August 24, 2008, 01:38:46 PM
AVG is now running heuristics and the amount of people posting and asking for help at G2G has increased with false positives generated by AVG.  Also it blocks some analysis tools making the cleanup task harder.   Heuristics are a two edged sword

My 2p
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: BJ_GeOrgE on August 24, 2008, 01:46:18 PM
You should ask yourself why only those 3 are detecting it and NO one else...
My answer is that all others follow the very specific detection rules for EICAR and these 3 AV's don't.
torelly agree with RejZor....the question is not why only three detected it but why did they detect it?
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: Mike Buxton on August 24, 2008, 03:24:38 PM
PotatoMan,

(a) Re your final words as quoted from your Reply # 7 [my corrections]:

....every member on this forum is going to do everything in there [their] power to prove me wrong. Please lock this forum [thread].

(b) Re your final words as quoted from your Reply # 23 [my comment]

I swear, I would make a good lawyer, hmmm??

[Lawyers are trained to understand the importance of grammar,. words and spelling.]
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: PapaSmurf on August 24, 2008, 03:46:37 PM
AVG is now running heuristics and the amount of people posting and asking for help at G2G has increased with false positives generated by AVG.  Also it blocks some analysis tools making the cleanup task harder.   Heuristics are a two edged sword

My 2p

I would have to agree with this, but that will be true for any AV that is advancing scanning techniques.
I think it is important to note that you should not depend solely on a single piece of software, but rather a combination
that work well together to provide an all around balanced approach to keeping the system safe.
I am NOT a big fan of false positives, but they are bound to happen as the AV software versions advance. Sort of a debug
phase.
If I thought that one single piece of software would do the job, my start up folder would be alot smaller..lol.  ;D
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: PotatoMan on August 24, 2008, 04:26:06 PM
PotatoMan,

(a) Re your final words as quoted from your Reply # 7 [my corrections]:

....every member on this forum is going to do everything in there [their] power to prove me wrong. Please lock this forum [thread].

(b) Re your final words as quoted from your Reply # 23 [my comment]

I swear, I would make a good lawyer, hmmm??

[Lawyers are trained to understand the importance of grammar,. words and spelling.]


I hate you, please go away, troll... :D


Anyways, I guess I am wrong, I just thought this test would help avast! improve, but, oh well. Thanks for everyone who posted positive comments (not the guy I am quoting).

Sorry for any false data I may have provided...
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: DavidR on August 24, 2008, 04:36:11 PM
avast! still needs better heuristics

You keep talking about avast! Heuristics (or better heuristics) and as far as the definition of Heuristics goes, avast doesn't have heuristics, confirmed in many topics in these forums. So any test you devise to test its heuristics will fail as it doesn't have heuristics.

The Internet mail is said to have heuristics (which doesn't extend to the standard shield or other shields), but this is very basic and not what most would call heuristics.
Title: Re: I did some testing (Someone from Alwil should read this)
Post by: Lisandro on August 24, 2008, 11:06:20 PM
avast! still needs better heuristics
Besides what David said, the effectiveness of the generic signatures is there...
http://forum.avast.com/index.php?topic=38131.msg319212#msg319212