Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: gowiththeflow on March 06, 2010, 08:57:56 PM
-
I occasionally visit the matousec site to see whether there is any new product worth checking out. Imagine my surprise when I saw avast name appearing on the list ...
http://www.matousec.com/projects/proactive-security-challenge/results.php
I am tech inclined but not enough to evaluate everything they say on that site. Can someone please relate the relevancy of the tests they did over there, to what avast was designed to accomplish? I can't tell for certain if they were comparing apples to oranges when they put avast on the list.
-
This has been discussed in a number of topics already and by all accounts the matusec tests were run against only the firewall, e.g. they disabled the other components of the avast Internet Security suite, which will remove part of the overall protection.
The avast firewall isn't sold as a stand alone firewall where such firewall test would hold more water. So to attempt to test it in isolation by disabling other elements of the AIS to me invalidates the results when no user will run the avast firewall in that way but as part of the integrated security suite.
-
which tells a lot about Matousec's neutrality ;D knowing that for Comodo firewall, he (Matousec) considers the HIPS (def+) as belonging to the firewall ( ;D ), which of course leads to brilliant results in leak tests, but prefers to deactivate other components when testing Avast5 firewall ::)
-
Okay I read through the other threads. They cleared things up quite a bit ... thank you.
Would I be correct to postulate that avast is excellent at protecting clients' mishaps (e.g. downloading trojans) but does not evaluate actions by servers (e.g. leaktests)? ???
Hmmm how much difference is there between a HIPS and avast's behavior shield? Or are they different beast all together?
-
avast isn't very good at leak tests...yet. The firewall is mainly inbound protection oriented. I can't tell how good it would be at preventing an already (and silently) downloaded trojan from connecting. What I can tell is that there might be a new "HIPS like" module in the future... (called "process control")...I'm not sure about that at all, it's just been mentioned, so I don't know how this would work exactly.
As to the behavior shield, no it can't be compared to a HIPS. The bs is watching the system and is able to report unusual changes to avast that could take action pretty fast by introducing new parameters in the engine and the database >>> next update. So just don't think of it as a HIPS. Also, be aware that the bs doesn't have any "rule sets" for 64 bit OS... yet. Might never be the case, browse the forums for more...
-
There's a huge difference. Behavior Shield relies on the virus database to react to threats, whereas a good HIPS will put you in full control of the OS. You need to make decisions on what to block or allow. Running one is also a good way to learn about what is going on behind the scenes on your Windows box. You can get into trouble is you block the wrong thing, so some caution is needed until you get familiar with things. I would recommend taking a look at Malware Defender (http://www.torchsoft.com/en/md_information.html) if you're interested. It's a great classical HIPS and is easy to learn and use.
-
To have a HIPS application running with efficiency in a computer, the user must have discipline and patience, a lot of patience.
If you answer yes for all questions... what you're doing is losing of time answering...
I'm not a man to use HIPS. I'd rather a good antimalware tool running and deciding what is infected and what is not.
-
I got the feeling that security software companies are moving towards more and more silent applications, and sophisticated enough to avoid the need of a HIPS, while being able to bring an equivalent level of protection... but that's just a feeling (from someone who's been an addict of Comodo Def+ and very shortly a user of System Safety Monitor)...new techniques are coming it seems, relying on online reactions, and the HIPS concept might be already an outdated thing.
-
I agree and for the vast majority of end users having someone else decide what's a good or bad action to allow is going to be welcome. I guess I'll be a holdout and keep using a HIPS and making the decisions myself. :) Hopefully, avast! will continue to offer a modular installer if they go this route, so that the end user can pick and choose which components to install.
It is also true that a HIPS demands a level of patience and discipline to use. However, this is at the beginning of use until you've created a good ruleset for your system. After the initial period, your alerts will be few and far between. The exception to this is during a new install, but that is what the HIPS is for. What if the install was being conducted by malware and not the end user?!
-
I would recommend taking a look at Malware Defender (http://www.torchsoft.com/en/md_information.html) if you're interested. It's a great classical HIPS and is easy to learn and use.
So the optimal setup would be avast free with all shields active, comodo free with only the firewall enabled, and malware defender for the HIPS?
Wait ... can malware defender's HIPS be run without their firewall?
I'm not a man to use HIPS. I'd rather a good antimalware tool running and deciding what is infected and what is not.
For this to work ... doesn't it mean someone needs to first report a finding so that a signature can be generated? :P
I got the feeling that security software companies are moving towards more and more silent applications ...
I use comodo but with def+ disabled. If only I can figure out how to allow WinFF to run new cmd scripts, so it won't require me to click on the def+ popup each time ...
-
Avast! actually sends up rules as well as plain old signatures as part of the database updates. So what you can do with BB and Network Shield (advertised as a light IDS) activated has never been explored by Matousec. I don't know either, BTW. ;) Of course the first thing a conventional HIPS like Comodo tells their users who find they have problems with their own leak tests is "you are in the wrong mode, dummy". Like they tell Matousec, don't use the default (quiet) mode if you want good leak protection. Think of this test scenario: You have a product set up to maximize the number of situations that generate popups for unknowns. You are told before the test that all of the popups are malware. Question of the day (Security for Dummies): What do you need to do to maximize your score? (hint: The developer part is to add more popups to get one for each of the test cases). Harder question of the day (where the work is moving): How can you do this silently? e.g. how do you automate your HIPS without a godzillion FPs and still catch everything. You can count on whitelists, etc. but you still need to deal with the residue.
And in spite of all these good intentions, and tests against questionable threats, you had better have an imaging program and backup regularly, because the malware community is usually a step ahead of the security community. :)
-
And in spite of all these good intentions, and tests against questionable threats, you had better have an imaging program and backup regularly, because the malware community is usually a step ahead of the security community. :)
This reflects my opinion as well . Sam Spade`s opinion still holds true for me http://samspade.org/d/firewalls.html
regards
-
So the optimal setup would be avast free with all shields active, comodo free with only the firewall enabled, and malware defender for the HIPS?
Wait ... can malware defender's HIPS be run without their firewall?
You can't separate out the firewall during the install, but you could create an "allow all" type of network rule if you're going to rely on another firewall for application network protection. I'm running MD alongside Jetico PFW and there is some overlap regarding the network rules (I have rules set in both apps and don't use an "allow all"). MD's network protection fails Comodo's Leak Test Suite's DNS test, but it can be supplemented with a good firewall to overcome that. A free one that I know is pretty good is Softperfect Firewall (http://www.softperfect.com/products/firewall/) and if memory serves me right when I tested the two together it passed the DNS test.
I use comodo but with def+ disabled. If only I can figure out how to allow WinFF to run new cmd scripts, so it won't require me to click on the def+ popup each time ...
You can create wildcard rules with MD that would cover these cmd scripts.
-
And in spite of all these good intentions, and tests against questionable threats, you had better have an imaging program and backup regularly, because the malware community is usually a step ahead of the security community. :)
This reflects my opinion as well . Sam Spade`s opinion still holds true for me http://samspade.org/d/firewalls.html
Please watch the 2 10 minute videos:
http://www.besttechie.net/2008/08/20/malwarebytes-developer-interview <== software firewall discussion starts about 8 minutes into the first video
-
Thanks Cloussau & Yokenny for the links.
That article (& the link given on the article's page) & the two videos leaves users something more to think about.
The articles are old but the arguments there seem relevant to the present situation.
The view expressed in the videos which are much newer is very much consistent with the article.
-
@ sss
Thanks.
I would hate to be known as a GWF ;)
-
Hi Guys,
just a few things I would like to add, the main purpose of the suite is to keep your PC healthy and clean, and we try to use all sort of measures / shields to achieve that. The antivirus is the main of them. The firewall of course keeps unwanted traffic outside as well, but as soon as the PC is infected (e.g. malware or in this case leaktest is running on it), it should be deleted quickly - and not just blocked from doing networking stuff.
What is the point of running your system infected (which is the situation leaktest are testing) and just blocking the virus/Trojan/backdoor from opening their own ports or connections, if they can do lots of other things that are usually undetected without running antivirus (such as infecting your attachments and let your self and your trusted mail client to send them).
So I don't really understand why should someone test a suite with antivirus against unwanted programs and switch the antivirus part off.
On the other hand they are many things that in Matousec's set of tests that make sense and are quite reasonable to require them from your product - e.g. kill tests. I don't understand however why the tests are structured in that so called levels, so that you can not evaluate all test until some artificially chosen test cases in the previous levels are not passed. What were the criteria by which these levels were choosen. Isn't for example the "verifier" test, currenlty on level 9 or 10, the main requirement - the driver should not bluescreen ?
And last, apparently MatouĊĦek ran the tests with silent mode (auto decide on) and then evaluated this really unprofessionally - such as that firewall does not filter UDP packets - which is simply not true and switching into "Ask" mode would easily prove it.
Lukas
-
Then avast firewall is best for you tech ^_^
Because you don't have to answer a lot of question with it :)
-
Avast! Internet Suite is, different from other popular suites, built up from its core components of Anti-Virus. Alwil didn't developed its firewall as standalone since it is designed to work with other basic components. Comparing it with a product such as Comodo with anti-virus turned off is like comparing "chalk and cheese." Considering that, Kasperksy is arguably doing a good job but, of course, it costs a bit more.
-
Thanks Lukor,
I think you have given us something to reference at least as "unofficial Alwil comments about the Matousec tests" rather than just some user opinions.
Regards;
Ed
-
Thanks Igor,
I think you have given us something to reference at least as "unofficial Alwil comments about the Matousec tests" rather than just some user opinions.
Regards;
Ed
I must be blind. Where is Igor's post in this thread that you are thanking him for? I tried to find and read it, but cannot. Perhaps you meant lukor??
Or perhaps it was a post by Igor in another thread about Matousec's tailored testing of competitors' products.
-
Where is Igor's post in this thread
yeah I noticed that too a minute ago ;D come on that's easy to explain, Igor posts more often and Lukor rather rarely, which easily explains that mistake from sded ;)
-
I fixed it. Sorry Lukor, am just too used to seeing Igor and Vlk here. Will make sure you get proper credit. ;D
-
Matousec releases their test suite officially, so I think Alwil can inspect avast! only for self-defense test, regardless of level.
Or I have wrong viewpoint?
I doubt why Matousec uses "Level" in their test, indeed...
-
I fixed it. Sorry Lukor, am just too used to seeing Igor and Vlk here. Will make sure you get proper credit. ;D
Not to worry. I thought I'd actually missed something important. :D The credit and a $1.50 will get me a cup of coffee, right? 8)
Joking aside, thanks to all the Alwil staff that are participating here. We know that it's not easy sometimes.
-
Hey, I was in a hurry to go feed my wife and cat. But recognized at a glance that it wasn't Vlk. :) One problem with Matousec is the lack of other recognized testing for firewalls/suites other than places like PC Magazine. And getting tested as a HIPS when you don't use a classical HIPS for protection and the rest of your product is turned off to level things has given red scores to lots of companies. The YouTube Videos and sketchy reports from Wankers with Windows are kind of fun demonstrations sometimes, can even provide some useful information, but not really scientific testing.
-
So I don't really understand why should someone test a suite with antivirus against unwanted programs and switch the antivirus part off.
Neither do I.
I see only a reason: biased.
Oh, I see a second reason: FUD.
-
The only problem is that the majority of users will look at these tests and conclude that avast! sux.
EDIT: Spelling ... ;D
-
Thanks you everybody, I now understand the issue a bit better.
Somewhat related ... I just read this one http://blogs.zdnet.com/security/?p=5602 - it seems to suggest no one can't get rid of HIPS entirely if ever :(