Author Topic: Concerned about Avasts scores.  (Read 30328 times)

0 Members and 1 Guest are viewing this topic.

Kobra

  • Guest
Re:Concerned about Avasts scores.
« Reply #15 on: June 07, 2004, 10:30:28 PM »
Just got word, every module in the next release of NOD32 will have Advanced Heuristics..  Sheesh, I have had some bad experiances dealing with NOD32 tech support, and their poorly run forums, but man, sounds like that might be the solution whenever they release it.

Attached shot shows their beta test version of AMON the on-access realtime monitor, with Advanced Heuristics enabled.

Tempting.. Very tempting...  So honestly, theres no plans for AH/H in Avast at this time?

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Concerned about Avasts scores.
« Reply #16 on: June 07, 2004, 10:38:41 PM »
Hm i'm currently working on one right now. You can check the discussion in WISHLIST thread in this section of the forum:
http://forum.avast.com/index.php?board=2;action=display;threadid=57;start=390

Its a very Basic Heuristic,but it should do the trick with minimal complications and false positives :) Something more like passive heuristic ;) I could also "programm" a small simulation (presentation) on how this thing would work.
Visit my webpage Angry Sheep Blog

Pavel Baudis

  • Guest
Re:Concerned about Avasts scores.
« Reply #17 on: June 07, 2004, 10:42:51 PM »
Yeah, heuristics has always been a very good marketing tool - and marketing people simply love it  ;) ;D!

True is that it might work sometimes and it does not work other times. What do you want to analyze heuristically in the packet sniffer? New buffer overflow threads? C'mon!

Did you ever try to "analyse" scripts? There is so many ways how to fool the analyzer! If you focus on it, heuristics is a method which can be fooled quite easily.

So to make the story short - I do not believe heuristics can be much useful. But as one my old friend says: what is heuristics anyway? Actually - all current detection methods might be called heuristics   ;D - so yes, in this way, AH/AP does contain some heuristics methods!

Ok, enough for now  ;)
Pavel

Kobra

  • Guest
Re:Concerned about Avasts scores.
« Reply #18 on: June 08, 2004, 01:00:28 AM »
Good point, there *IS* alot of hype in this field, most of it rather unfounded.  Honestly, I feel most AV companies seem behind the curve on this stuff - if you disagree, please feel free to correct me.

I'm thinking a system like Normans, with a virtual sandbox, where you actually "Execute" the badguy, watch its reactions - basically let it play  in the sandbox - then determine if its a possible new threat (this explains how Norman's sandbox has defeated some new threats without definitions). That seems to be a very very good system.  In principle, i've yet to see more than a couple AV-Testers put Norman through the paces, because its slower due to this system, and when they test 200,000 baddies, it would take a year. =)  Anyway, I like the idea behind that system.  (Clementi won't test Norman because its too slow and I think that is doing the consumer a disservice, but i've put Norman through my 150 samples, and it was 100%, and i've heard similar stories from others)

Another system I was thinking about, is perhaps something like a behavior analysis situation, where the AV product simply knows how the system should behave, how a given file should react, and any deviation from this would cause further scrutiny.  Artificial Intelligence if you will.  Could that be the future?  Rumor has it, McAfee is  feverishly working on this behind closed doors.

Multi-Engined systems intrigue me, double definitions -cross checked/verified between each other.  Which also would be double layered heuristics.  F-Secure impresses me with its unmatched detection/heuristics, but behind the good, is a sloppily coded application.  eXtendia AVK using KAV+RAV engine is the most powerful single AV product i've seen and the double heuristics work perfectly. Great system there, but the AV has a couple bugs that bug me, and lacks some features Avast has.  Still, I like the multi-engine idea immensely.

Clearly though, I think its time for something new other than the grind out endless definitions MD5 compare techniques.  I applaud Avasts exceptionally feature rich product, it really is a wonderfully designed and implemented piece of work!  But I wish it employed something a bit more state of the art than a primary definition table system.

Heuristics may be a marketing scheme, but i've seen them in action, and if done right, they are what seperates the top shelf products, from the mid or bottom shelf offerings.  Heuristics on my machine, have stopped rebased trojans on more than one occaision, and I hate to think what would have happened with a product LACKING heuristical detection!

Just my thoughts I guess.. I'm pretty sad Avast lacks deep detection of unknown/rebased threats, i'm sad because its a great product, has great features, and I absolutely want to run it.
« Last Edit: June 08, 2004, 01:03:38 AM by Kobra »

Kobra

  • Guest
Re:Concerned about Avasts scores.
« Reply #19 on: June 08, 2004, 03:53:55 AM »
Followup to AV-Comparatives, I don't fully agree with this testing methods, nor some of the rational there.  For example, why bother testing DOS viruses?  These are mostly WIN32 AV products here, and I know for a fact, DOS samples would skew results improperly.  

Secondly, he doesn't test multi-engine products, or unique products like Norman AV - a corporate strength sandbox architecture that is proven in the field.  Various excuses are that multi-engined products wouldn't be fair, or would ruin the results, and that Norman in full settings is too slow scanning 300,000 files.

Honestly, remove the dos viruses/trojans, and maybe it won't take so long to scan.  NOT testing some products is a bit disagreeable with me.  But I understand he doesn't do this for a living, and does it more out of a hobby - but the fact remains, if you are going to put your data out there for the world to see, expect critisisms if something doesn't jive.    Not trying to be harsh, i'm trying to be realistic here.  Some of the most heuristicly advanced products weren't even tested there!

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:Concerned about Avasts scores.
« Reply #20 on: June 08, 2004, 09:39:40 AM »
I'm thinking a system like Normans, with a virtual sandbox, where you actually "Execute" the badguy, watch its reactions - basically let it play  in the sandbox - then determine if its a possible new threat.

I admit I don't know this system so I can be wrong, but I think I would have a few ideas how to defeat this system easily by a virus - if specifically targetted.
(I'm just trying to say that any system, no matter how sophisticated, can be fooled if the author decides he wants to.)
« Last Edit: June 08, 2004, 09:40:57 AM by igor »

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Concerned about Avasts scores.
« Reply #21 on: June 08, 2004, 09:56:05 AM »
Kobra I'm just wondering -- what is it that you like about avast, exactly? It's not so different from the other AV packages, is it?

I'm just asking because obviously you've got rich experience with competitive products (probably better than we do) and it's always good to know one's strengths and weaknesses.

Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

Kobra

  • Guest
Re:Concerned about Avasts scores.
« Reply #22 on: June 08, 2004, 06:16:28 PM »
Well I had a nice long reply typed up, and it didn't save.  So heres the cliff notes version:

I can smell solid code, done by people that care about their product from a mile off. I'm rather sick of sloppy coding, and have zero tolerance for it.  Avast isn't a product that feels it should tell me how it should run, it allows me to tell it how i'd like it to run. Nothing bothers me more than products that bundle up fancy windows and splash screens, then remove all possible options to configure it - how annoying!  Avast has a very good featureset that I like as well, the only thing i'd have to complain about is the lack of an Advanced Heuristics system, or something similar.  Soon maybe.

Second, I don't put much stock in these massive virus tests some people run.  Theres nothing realistic about throwing 200,000 viruses at a product and parsing the log an hour later and posting a "Win" or "Lose" list.  That is very misleading to consumers, and should only be a small part of the total test picture.   Which is why you see big companies, QC firms, and consumer testing houses do real world tests, even some long term tests.  Thats the only way to effectively measure a product.  I take most of what these testers do/say with a grain of salt.

With that being said, I enjoy testing these, and breaking them, as a side hobby. I do have some engineering background, maybe thats why?  Who knows, but I feel I get to know the people behind the product by figuring out how a product thinks - sometimes i'm surprised, and find quality products.  Usually i'm let down.  My usual test period for an AV product is 1-4 week range, and they are subjected to hundreds, possibly thousands of real situtations a consumer is likely to run in to.  You won't find me sweeping 100k viruses over a product, then parsing the log with a script, thats just rediculous.  But you might find me doing things like implanting 50 different viruses and launches throughout a PC, and then seeing how many the product picks up over a week without doing a fullscan.  Things like that.

Lastly, another aspect NOBODY seems to bother addressing, is support.  Support, in my opinion, is one of the most important things to consider when buying software.  Consumer Reports recently did a survey of 10,000 members and found a majority had bad support or no support with their products.  Symantec was on the list for a case study, and it wasn't pretty.  So what happens if you do need support?  Nobody likes ignored email!  Which is exactly what you will get with most AV companies.  I'm doing a month long support study on AV products out of curiosity, and its not pretty.  As an example, DrWeb, I finally got a response from them after being ignored for a week. Unfortunately, 3 of the responses were in russian, and the fourth was in english but only said "Identify self immediate you get support maybe".  Whatever that means...   I'll give you a small hint so far of the first run results of my email portion of the study - i'll be running the email portion 3 times incase of error.

Kaspersky – Generally within 1-2 hours, seldom more than 12 hours.
Panda – 1-2 days (retest will be interesting, they claim to have improved this)
F-Secure – 7 Days (WTF?)
NOD32 – Varies between 3-5 days orNO RESPONSE (More common)
BitDefender – 6 Days!
Norman – 1-2 Hours, never more than 12 hours.
AVK – Varies, sometimes hours, sometimes days, sometimes never.
RAV – No more than 5 hours delay. (too bad their product isn’t sold anymore)
BOClean – 1-2 Hours, sometimes LESS, never more than 5 hours.
McAfee – I've yet to get a response whatsoever, its been 3 weeks.
Dr.Web – 4-7 Days Wait, usually a Russian response, never helpful.
Avast – 1-12 hours usually, they even reply to virus submittals!

As you can see, some products you won't get any support at all, and you are on your own, and out of luck.  But this is only the first run of a 3 part test. I have little faith these results will change much.

Regards.

NAMOR

  • Guest
Re:Concerned about Avasts scores.
« Reply #23 on: June 08, 2004, 06:35:22 PM »
Very nice cliff notes Kobra. Thanks for sharing you views on support by various AV companies, very informative.

Klavier

  • Guest
Re:Concerned about Avasts scores.
« Reply #24 on: October 02, 2005, 02:32:41 AM »
And as you see, e.g. Avast does not only protect you against Itw-samples, but also against most (over 90%) of the zoo-samples that you will probably never encounter in real life.

Hi. I have a question regarding that post, how can (or does) Avast detect 90% of more than 140.000 (if we use kaspersky database, etc.), if Avast database only records like 42.000+ viruses?
Thanks!

Klavier

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re:Concerned about Avasts scores.
« Reply #25 on: October 02, 2005, 04:38:23 AM »
Hi. I have a question regarding that post, how can (or does) Avast detect 90% of more than 140.000 (if we use kaspersky database, etc.), if Avast database only records like 42.000+ viruses?
This question was made a lot of times here...
It's a matter of naming and numbering files, grouping them, etc.
After all, you just want to all of them being caught by the antivirus. So, just a question of merchandising: how many infections can an antivurs deal with? Don't worry avast will take care of them whatever they're counted or named...
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89009
  • No support PMs thanks
Re: Concerned about Avasts scores.
« Reply #26 on: October 02, 2005, 04:58:16 AM »
This has been discussed many times before on the forums, this is just one http://forum.avast.com/index.php?topic=12401.msg104641#msg104641
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security