Avast! virus/trojan detection speed/quality

[Dwarden]

In last month i got 5 or 6 "events" where customer which was usually positive about Avast! antivirus
ordered different Antivirus solutions (McAfee, NOD32, Kaspersky, AVG) with explaining
"we were in last months infected multiple times by viruses / trojans passing via up2date Avast!"

in numbers it mean for Alwil loss of dozens Avast! Pro versions, some SBS licenses and some other server licenses ...

and i must admit this is not first time in this year i hear such story from firms paying theirs AV defense ...

also to my suprise another bad opinion about Avast! came this week from my good friend ...
 where he work they run together multiple AV engines on server to increase detection chances on files passing IN/OUT network and experimentally using multiple AVs at some clients ... outgoing results are that Avast! fails to detect huge block of new viruses and trojans "in time"...

now if i add my own experience with huge delays on some trojans and viruses before they added to Avast! VPS ...

as result I'm very worried if i can continue to suggest Avast! as good solution for home users & firms in same way like i was in last 2 years ...

as workaround for Home users I'm experimenting with 'Avast!Home + AVG 7.1 free edition + ClamAV' package ... so far it works (wXP) ... suprising including both Avast and AVG residents at once and where ClamAVsurprising is used as on-demand backup ....

i hope with new Year there will be some major change in virus/trojan submission system for Avast! and improved times on adding trojans/viruses into VPS ...!

[alanrf]

Interesting story.

However, it is just that - sorry to be critical but it is totally lacking in verifiable information.  I rather suspect I might find a similar story in the AVG forum.  For now  your post is just FUD (fear uncertainty and doubt). 

Please let us know when you have more detailed and verifiable analysis of your customers' experiences.   

[FreewheelinFrank]

Here on the forum I often see people with a problem with malware which hasn't detected, and too often when I do a search for that malware, a link comes up for a writeup from Sophos or Symantec or McAfee.

I find the same thing cleaning computers for the occasional customer. Too many times I find a Trojan using Hijack This! which avast! hasn't noticed, and a write up for that Trojan in another AV site.

Admittedly I run Trend Micro Sysclean before avast!, so Trend has missed them too!

It's true that any AV can miss viruses: I've seen computers infected by a virus Symantec has missed.

But dismissing stories like this out of hand is like putting your head in the sand: if avast! wants to be taken seriously as an AV, it needs to improve the speed with which malware is added. I've seen too many stories of how people submitted malware which was not added for weeks, checked too many files on Jotti and seen Kaspersky and others identify malware but avast! not.

avast! needs a kick up the pants, and Dwarden is doing just that. Don't shoot the messenger!

[alanrf]

I did not shoot the messenger. 

If the messenger came with information I can check and not just generalities then I would pay a lot more attention.

I am far - indeed very far - from being uncritical of avast! myself - but I will not indulge in "avast is failing" posts unless I can back it up with facts.

If indeed it is true that:

results are that Avast! fails to detect huge block of new viruses and trojans "in time"

then surely some evidence of these "huge blocks" can be provided and some further indication of how far avast! is failing to be "in time".

I did not suggest that no problem exists but anyone can walk in and say there is  some undefined problem. 

[Lisandro]

Seen Kaspersky and others identify malware but avast! not.

Undoubtly, Kaspersky has a very very good detection, submition and analysis procedures.

But, like Alan, in this issues we need to know: file name, path, virus name, date of submition, etc.
Otherwise, just throwing words in the wind. I have my complains about avast detection for sure.
Using two residents (even AVG at Windows XP), well, I won't trust in the user coments after this.
There are a lot of situations, discussed a lot here, that this won't work, on contrary, will mess everything.
I won't trust in non-technical complains about this kind of user.
Merry Christmas 

[Dwarden]

uhm so you trying disrespect / nullify what i said ? ...

please don't use arguments about malware detection here this post was about viruses and  trojans not rest of malware (like spyware) ...

 sorry but i said and i repeat this is about Avast! repeatly failing to prevent infection 'in time'...  on correctly (High) set configurations on up2date VPS and program versions ... and that story came from multiple customers NOT just some rare ones ...

re:Tech = nowhere in my post is said that fail was when running multiple residents, Avast! was the single used. What you mean with 'I won't trust in non-technical complains about this kind of user' ?  who You got in mind me or my customers? i doubt You know anything about me or them anyway so You not in position to even try to judge ...

 

But, like Alan, in this issues we need to know: file name, path, virus name, date of submition, etc.

filename useless, path useless, only what matter is hash of infected binary, date of submission and name ... but why i should repeat myself ... search some of my months old posts in virus section , i named some of them there ... (but to say at least one here from new ones 8.12.2005, Trojan-Clicker.Win32.Small.is )

what you want as proofs ? magic ? or You think network admins care about product which is failing writing up each missed piece ? no, they simple move to products which not fail them ... yes it's hard but true ...

it's problematic get samples of viruses / trojans which avast! not found for events which happened days or weeks ago ... most of them don't keep these ... and if samples are kept , they were always sent to Alwil ...

detection speed examples? ... trojans multiple times submitted in last year were added with 4+ months delays ... some were never added by Avast! (but for example Kasperky added them within days) ... from trojans submitted 2 weeks ago only one was added yesterday ... etc.

or You suggest to publish on some website what viruses, trojans, spyware, malware whatever is undetected by Avast! ? (some sort community driven site?) that's not bad idea ...  why such site don't exist yet ?

--

related to multiple residents ...

until You prove me that resident solution Avast!+AVG is failing i will take your `comments` as just throwing 'genius' words into wind ...

tried it yet? we got 3 test machines running 24/7 with this config testing false alarms, various types of infections etc. against machine with just single of of them ... if we find moment where it fails ... then you right ... so far nothing such happened ...

also if you experiment often with multiple AV you find various combinations working w/o problem (if you don't fear to loose some performance) ... it's all about skills of these who config it ...

plus don't mismatch server side multi AV solution with clientside multi AV solution ... two totally different things ...

[Vlk]

Dwarden,

1. about the detection rates and speed of updates: I sort of agree that avast! is currently not in its best form but we're working hard to change this. We have just hired 3 more virus analysts, are actively working on a way to greatly improve the process of sample submissions etc... However, all those things take some time. I'm hoping 2006 will be a pivotal year in this sense - you guys will see a dramatic improvement in the detection rates as well as reaction speeds - and avast! will return to where it was in the late 90's - on the very top.


2. About running two resident AV's at the same time. In most cases, if the two AV's don't lock the machine (-- Avast and AVG is an example of such a setup) the problems usually crop elsewhere than in the Standard Shield (I mean the on-access file system scanner) - and they're more subtle and harder to debug. Take e.g. the mail scanner. It's usually like this: avast pops the infected mail from the server and extracts the viral attachment to a temp folder. AVG's on-access scanner detects the virus in it, and denies read access to the file. I.e. avast's mail scanner can't scan the file, and passes the infected mail to your inbox. Then the same things goes vice versa - AVG's mail scanner is blocked by avast's file system scanner. The same applies to other "providers" - the WebShield, the ScriptBlocker etc etc...


Thanks
Vlk

[FreewheelinFrank]

I for one needed to hear that. Good luck to you. avast! is an excellent AV, and this gives me the confidence to continue using it.

Seasons greetings.

FwF

Dwarden, sorry to butt in on your post, but I seem to have had the same concerns.

[TAP]

you guys will see a dramatic improvement in the detection rates as well as reaction speeds - and avast! will return to where it was in the late 90's - on the very top.

I'm very very glad to hear that, this seems like the valuable gift of New Year for me (and I believe this for all avast! users) indeed.

I must admit, sometimes I've always wondered, as far as I know, while other scanners (NOD32, Kaspersky, BitDefender, VBA32 or even AntiVir, AVG) keep on improving their detection technology & means like crazy but it seems to me that avast! still stays the same as it was in 2 years ago. 

And don't forget to write up more malware infromation (even in brief) on avast! website this will make avast! Antivirus looks more promising.

[Dwarden]

Dwarden,

1. about the detection rates and speed of updates: I sort of agree that avast! is currently not in its best form but we're working hard to change this. We have just hired 3 more virus analysts, are actively working on a way to greatly improve the process of sample submissions etc... However, all those things take some time. I'm hoping 2006 will be a pivotal year in this sense - you guys will see a dramatic improvement in the detection rates as well as reaction speeds - and avast! will return to where it was in the late 90's - on the very top.


2. About running two resident AV's at the same time. In most cases, if the two AV's don't lock the machine (-- Avast and AVG is an example of such a setup) the problems usually crop elsewhere than in the Standard Shield (I mean the on-access file system scanner) - and they're more subtle and harder to debug. Take e.g. the mail scanner. It's usually like this: avast pops the infected mail from the server and extracts the viral attachment to a temp folder. AVG's on-access scanner detects the virus in it, and denies read access to the file. I.e. avast's mail scanner can't scan the file, and passes the infected mail to your inbox. Then the same things goes vice versa - AVG's mail scanner is blocked by avast's file system scanner. The same applies to other "providers" - the WebShield, the ScriptBlocker etc etc...


Thanks
Vlk

well I'm very glad to hear this news  (You sure know that  I'm pushing for some speedups / changes for nearly year) ...

main reason of this post was that there are some issues and i would like to see them resolved ...

i like Avast! and i think it's really well done antivirus (in feature set etc.) and this was one of the "black" dots on shield ...

that's why i wrote in first post i hope with new Year there ...

[alanrf]

Vlk,

I am impressed by the honesty and openness in the post you made to in response to Dwarden's comments.  Many thanks.

While I must remain an avast! Home edition user since I support a number of other such avast! users (gratis) your comments persuade me that I should contribute to the improvement efforts of the avast! team (albeit in a very humble way) by purchasing a license for the product.

Wishing you and the whole avast! team a very Merry Christmas and a most successful 2006!
 

Alan

as the saying goes "money put where mouth is" now a paid licensee of avast!

[Lisandro]

uhm so you trying disrespect / nullify what i said ? ...

No, I never do this.
First because I'm not the owner of the truth.
Second because I respect other users here.
Third because you don't deserve disrespect 

please don't use arguments about malware detection here this post was about viruses and  trojans not rest of malware (like spyware) ...

I did not argument. Just post my opinion.

re:Tech = nowhere in my post is said that fail was when running multiple residents, Avast! was the single used. What you mean with 'I won't trust in non-technical complains about this kind of user' ?  who You got in mind me or my customers? i doubt You know anything about me or them anyway so You not in position to even try to judge ...

I'm just saying that your customers, if blaming or complaning, would be useful if they post more info about the virus, the infected file, etc.
Again, I don't know anything about them and this is exactly what I'm saying: they can't blame or complain without leting us (and Alwil team) know what is happening. It's useless in my opinion.

But, like Alan, in this issues we need to know: file name, path, virus name, date of submition, etc.

filename useless, path useless, only what matter is hash of infected binary, date of submission and name ... but why i should repeat myself ... search some of my months old posts in virus section , i named some of them there ... (but to say at least one here from new ones 8.12.2005, Trojan-Clicker.Win32.Small.is )

I don't judge the more info is useless, neither for us user nor for Alwil team.
For me, to help, I need more info. It's not useless.

what you want as proofs ? magic ? or You think network admins care about product which is failing writing up each missed piece ? no, they simple move to products which not fail them ... yes it's hard but true ...

Ok. I expect Administrators that wants to learn but, maybe, I'm too romantic 

it's problematic get samples of viruses / trojans which avast! not found for events which happened days or weeks ago ... most of them don't keep these ... and if samples are kept , they were always sent to Alwil ... detection speed examples? ... trojans multiple times submitted in last year were added with 4+ months delays ... some were never added by Avast! (but for example Kasperky added them within days) ... from trojans submitted 2 weeks ago only one was added yesterday ... etc.

Blaming to get a better avast. This I respect and follow. Please, blame as much as you can 
We (the users) are claming for a better product, better detection, all the time. I don't think they're angry with us about this. Are you Vlk?

or You suggest to publish on some website what viruses, trojans, spyware, malware whatever is undetected by Avast! ? (some sort community driven site?) that's not bad idea ...  why such site don't exist yet ?

I did not understand... I'm not a native English, can you rephrase?

[Lisandro]

About running two resident AV's at the same time. In most cases, if the two AV's don't lock the machine (-- Avast and AVG is an example of such a setup) the problems usually crop elsewhere than in the Standard Shield (I mean the on-access file system scanner) - and they're more subtle and harder to debug. Take e.g. the mail scanner. It's usually like this: avast pops the infected mail from the server and extracts the viral attachment to a temp folder. AVG's on-access scanner detects the virus in it, and denies read access to the file. I.e. avast's mail scanner can't scan the file, and passes the infected mail to your inbox. Then the same things goes vice versa - AVG's mail scanner is blocked by avast's file system scanner. The same applies to other "providers" - the WebShield, the ScriptBlocker etc etc...

I've tested this and experiment is in two XP SP2 computers. What Vlk said is just what happens indeed.

[Dwarden]

once more to Vlk :
now noticed the speed improvement You speak about ... trojans sent 20th were added some hours ago
must bow for that good job just one day before Xmas ...

re:tech = well we were able overcome some technical issues so it's usable but definitely nothing for absolute n00b users ...


Merry Christmas to everyone...

[rdsu]

1. about the detection rates and speed of updates: I sort of agree that avast! is currently not in its best form but we're working hard to change this. We have just hired 3 more virus analysts, are actively working on a way to greatly improve the process of sample submissions etc... However, all those things take some time. I'm hoping 2006 will be a pivotal year in this sense - you guys will see a dramatic improvement in the detection rates as well as reaction speeds - and avast! will return to where it was in the late 90's - on the very top.

Very glad to hear that 

Keep the good work