Author Topic: Kobra's AV test on 6-14-04  (Read 45877 times)

0 Members and 1 Guest are viewing this topic.

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re:Kobra's AV test on 6-14-04
« Reply #15 on: June 16, 2004, 02:16:11 AM »
Kobra I have notified Quick Heal support Staff (Useing my Dad's Quick Heal registration). I gve them the link to this thread. Reply is as follows:



Dear Kyle,

     We are working on more advanced heuristics. This new engine will be introduced in Quick Heal 7.02. Please tell Kobra to retest Quickheal once the new engine is released. We really do not see how Quickheal missed that many of his samples. If he would like have him send the samples to you for submission (Dont forget to include your Registration code in the email).


Sincerely,
The Quick Heal Team
http://Http://www.QuickHeal.com
"People who are really serious about software should make their own hardware." - Alan Kay

Kobra

  • Guest
Re:Kobra's AV test on 6-14-04
« Reply #16 on: June 16, 2004, 02:35:21 AM »
Kobra I have notified Quick Heal support Staff (Useing my Dad's Quick Heal registration). I gve them the link to this thread. Reply is as follows:

Dear Kyle,

     We are working on more advanced heuristics. This new engine will be introduced in Quick Heal 7.02. Please tell Kobra to retest Quickheal once the new engine is released. We really do not see how Quickheal missed that many of his samples. If he would like have him send the samples to you for submission (Dont forget to include your Registration code in the email).


Sincerely,
The Quick Heal Team
http://Http://www.QuickHeal.com

Any date/time on the new engine?  The biggest thing I noticed with QuickHeal, was it claims to have heuristics, yet I witnessed *NO* Heuristics in action.  I've re-installed it twice now and re-tested twice to make sure.

Secondly, how big is their database?  I'm guessing its pretty small, and with or without heuristics, a new AV company is at a severe disadvantage because signatures take time to build, unless they arrange to buy or rent definitions from another company. One product, Ahn's V3 Pro, has a EXCEPTIONAL interface and layout, and incredible options.  But their definition base is so small, its just not a viable product for most people.

I've got one more test i'm going to try with Quickheal, and thats going to be on a Win98 machine and see if it behaves any differently, then i'm done with it for now.

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re:Kobra's AV test on 6-14-04
« Reply #17 on: June 16, 2004, 03:07:22 AM »
oh it has herustics(Weak) However it does have a herustic-like worm detector called the Quick Heal Sensor which runs at startup to check for suspicious changes in the registry and also looks in real time for methods common for worms spreading.

Quote
SENSOR FOR NEW WORMS, TROJANS AND BACKDOORS

This new sensational technology is designed to fight the threats posed by new Trojans, Worms and BackDoors.

    * Checks most sensitive areas of the system
    * Traps and captivates any new Trojan, Worm, Backdoors and any other malicious code
    * Powerful Protection from Internet Threats.
    * Proactive Technology kills the malicious code before it can act.


The database is a decent sized one, however alot of the old DOS viruses are ommitted. (Most are extinct anyway)


BTW Quickheal has a Personal Firewall that is in BETA form right now. it will be $28 when finished. Mabye you could do a firewall roundup next?
« Last Edit: June 16, 2004, 03:09:21 AM by MacLover2000 »
"People who are really serious about software should make their own hardware." - Alan Kay

Kobra

  • Guest
Re:Kobra's AV test on 6-14-04
« Reply #18 on: June 16, 2004, 03:34:19 AM »
i wonder about this AV

http://www.v-buster.com/

 ;D :D 8) ??? :o

You guys ready for this?

Ok, the bad first:
This is probably the worst layout and implemented AV i've ever seen in my life, its horrible to install, horrible to run, and really is a DOS program overlayed with a really bad WindowsGUI.   This appears to have NO archival/packer support, and cannot detect archived baddies whatsoever. (well, it is a dos program after all).  Overall, its a gross looking and old school operating program.

Now the good:
This thing, without a doubt, the coolest and neatest little thing i've seen in awhile.  It is definition less, but manages to to detect 265 out of 321 baddies, and considering *MANY* are packed/archived, thats probably 100% score - right out of the box without any connection to the internet and no ability to update.  Its scoring 82.55% without the ability to unpack/unarchive?  Ironically, most of the baddies its finding, its finding with some type of Heuristics or code emulation and its very fast. Alerting me with "Definately a unknown Trojan" or "Strange Acting File, Probably Virus".

Nobody could possibly like this program I don't think, as far as running it, and using it, its rather a pain in the rear, but I cannot argue with its detection/heuristics and ability to find new stuff.  Maybe the guys at Avast should contact this dude, and try to license his technology?   :o

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re:Kobra's AV test on 6-14-04
« Reply #19 on: June 16, 2004, 06:14:55 AM »
another email from CAT on your any date/time for new engine question


Hello Kyle,

    Thanks for contacting Quick Heal support!  The new engine is in the 4th Beta stage. We run them through 5 Beta versions to work out most of the bugs. The Beta engine is only given to the public upon request. late June to mid July you should see the public release.


Sincerely,
The Quick Heal Team
http://Http://www.QuickHeal.com
"People who are really serious about software should make their own hardware." - Alan Kay

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1793
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re:Kobra's AV test on 6-14-04
« Reply #20 on: June 16, 2004, 02:57:49 PM »
Cobra, thanks that exactly fit what i "heard" about that AV. I wonder if author is preparing for full w32/w64 version as it will be bad to throw away such qualite heuristic engine (the only one comparable which come to my mind is Dr. Web ).
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Kobra's AV test on 6-14-04
« Reply #21 on: June 16, 2004, 04:26:22 PM »
About V-Buster: really funny looking tiny program but certainly worth looking at...
If at first you don't succeed, then skydiving's not for you.

Technodrome

  • Guest
Re:Kobra's AV test on 6-14-04
« Reply #22 on: June 16, 2004, 05:00:14 PM »
Inexperienced users should clearly steer away from this AV. V-Buster is purely heuristics scanner and it will probably give you a lots of FPs.

There is a similar (freeware) av scanner (ROSE SWEs Heuristic Based Virus Scanner) that you can download from http://195.58.189.134/~rose-1/software.htm .


tECHNODROME
« Last Edit: June 16, 2004, 05:12:47 PM by Technodrome »

Kobra

  • Guest
Re:Kobra's AV test on 6-14-04
« Reply #23 on: June 17, 2004, 12:04:11 AM »
Forget that progam, I found a better one.. Updated list:

Updated testing results, several additional products tested. Special note to the changes in first place.  Notes on  the changes:

Discovered and tested MKS-Vir2004, from Poland.  Surprisingly, this one with caught every sample perfectly on Medium  Heuristics. Specifically, nearly 50 samples were picked up Heuristically giving it a perfect score of 321/321.   However, when I increased Heuristics to "Super Deep", it picked up an addition 10 more suspicious files. Upon  further investigation, it was found that it was picking up signatures of hacktool utilities left over in some of the  archives and flagging those files.  Indeed, this is impressive.  MKS-Vir2004 exhibits the most advanced detection  algorithms i've ever seen, clearly it only had signatures for 271 of my samples, but through code emulation, it was  able to pick up all 321 samples!!  It clearly labeled the Heuristically found ones as things as "Likely Win32  Trojan" or "Highly Suspicious Acting File".  In addition, its scanning speed was incredibly quick, and its memory  footprint was quite small.  Impressive!  Furthermore, this is a full featured and fairly polished product that  appears to update at least once per day, and tech support responded to me within 5-15 minutes on my emails.   Unfortunately, it appears to not be available in the US for purchase at this time.

Tested other additional products, Antidote, PerAV, Vir.IT, FireAV, and VirusBuster.  Results are below.

1a) MKS_Vir 2004 - 321/321 0 Missed - 100%
1b) eXtendia AVK - 321/321 0 Missed - 100%
2a) Kaspersky 5.0 - 320/321 1 Missed - 99.70% (with Extended Database ON)
2b) McAfee VirusScan 8.0 - 319/321 + 2 (2 found as joke programs - heuristically) - 99%
3) F-Secure - 319/321 2 Missed - 99.37%
4) GData AVK - 317/321 4 Missed - 98.75%
5) RAV + Norton (2 way tie) - 315/321 6 Missed - 98.13%
6) Dr.Web - 310/321 11 Missed - 96.57%
7) CommandAV + F-Prot + BitDefender (3 Way Tie) - 309/321 12 Missed - 96.26%
8) ETrust - 301/321 20 Missed - 93.76%
9) Trend - 300/321 21 Missed - 93.45%
10) Avast! Pro - 299/321 22 Missed - 93.14%
11) Panda - 298/321 23 Missed - 92.83%
12) Virus Buster - 290/321 31 Missed - 90.34%
13) KingSoft - 288/321 33 Missed - 89.71%
14) NOD32 - 285/321 36 Missed (results identical with or without advanced heuristics) - 88.78%
15) AVG Pro - 275/321 46 Missed - 85.66%
16) AntiVIR - 268/321 53 Missed - 83.48%
17) Antidote - 252/321 69 Missed - 78.50%
18) ClamWIN - 247/321 74 Missed - 76.94%
19) UNA - 222/321 99 Missed - 69.15%
20) Norman - 215/321 106 Missed - 66.97%
21) Solo - 182/321 139 Missed - 56.69%
22) Fire AV - 179/321 142 Missed - 55.76%
23) V3 Pro - 109/321 212 Missed - 33.95%
24) Per_AV - 75/321 - 246 Missed - 23.36%
25) Proland - 73/321 248 Missed - 22.74%
26) Sophos - 50/321 271 Missed - 15.57%
27) Hauri - 49/321 272 Missed - 15.26%
28) CAT Quickheal - 21/321 300 Missed - 6%
29) Vir_iT - 10/321 311 Missed - 3%
30) Ikarus - Crashed on first virus. - 0%

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1793
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re:Kobra's AV test on 6-14-04
« Reply #24 on: June 17, 2004, 04:58:21 AM »
Quote
MKS VIR2004


i'm testing it, quite impressed ...
just Very High Heuristic Flagged PowerStrip (not suprised at all) and GetRight (suprised) and mp4fil32.dll and xzipper30.ocx (very suprised) to be same type of trojan w32.4 :)

i got idea, can u add scan times to your tests ?
« Last Edit: June 17, 2004, 05:08:08 AM by Dwarden »
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Kobra

  • Guest
Re:Kobra's AV test on 6-14-04
« Reply #25 on: June 17, 2004, 05:05:31 AM »
Testing the very-high heuristic setting, its flagged 2 of my archiver brute force password breaking programs as "Suspicious" - which i'm impressed with.  Its also flagged a small registry editing program I have as the same.  :o

If you watch your ram in task-manager as it scans a file, you see the ram jump, and if theres several files, you see it jump more.  I'm going to throw out a guess here, but this program seems to use a Sandbox/Virtual Machine/Code Emulation type system.  Its like it loads stuff up and runs it in a virtual playground, and does it so fast, you don't even notice. I could be wrong, but its pretty wild how it knows a zipfile password cracker that they can't possibly ever have heard of, is slightly dangerous.   Either way, they got some magical heuristics going on.

I like how you can slide the heuristics around from Off -> Low -> Medium -> High -> Very High to suit your needs. I'm the kinda guy that runs stuff on full out max, so this is a nice toy for me to play with.  In my tests, sadly, i've found much of this heuristic talk in many programs to be totally bogus, but a few programs stand out in this catagory, and MKS_Vir is definately one of them!

Try scaling down the heuristics and see how it eliminates them.. Obviously theres code activity it doesn't like in those things its picking up.  ;D
« Last Edit: June 17, 2004, 05:10:39 AM by Kobra »

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1793
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re:Kobra's AV test on 6-14-04
« Reply #26 on: June 17, 2004, 05:17:38 AM »
downloaded http://www.geocities.com/visitbipin/SERVER_dwn.zip

renamed and i moved this file to another folder

D:\Downloads\a\111111111111111111111111111111111111111111234SERVER_dwn.zip

this archive bomb made mks_vir to got to knees, trying to rescan file many times, then returning already found "positives" from past time as new findings ...

looks like it hate this exctract bomb :)
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Starfighter

  • Guest
Re:Kobra's AV test on 6-14-04
« Reply #27 on: June 17, 2004, 05:31:58 AM »
Discovered and tested MKS-Vir2004, from Poland.  ...  Unfortunately, it appears to not be available in the US for purchase at this time.

Kobra-- just curious, but did you test their demo or full version?  I haven't yet figured out what they want in payment for their software (i.e. if you can order it (online purchase) off the internet --and download it that way).  As you say, appears not to be available in the US (seems they sell this software "tweaked" for Poland).

« Last Edit: June 17, 2004, 05:34:18 AM by Starfighter »

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1793
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re:Kobra's AV test on 6-14-04
« Reply #28 on: June 17, 2004, 05:43:37 AM »
i'm testing demo, i'm  :o :o :o :o :o :o :o :o :o :o from this one  ;D
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Kobra

  • Guest
Re:Kobra's AV test on 6-14-04
« Reply #29 on: June 17, 2004, 05:44:21 AM »
I have the full registered version on trial for 1 month. Because the demo version doesn't recieve the definition or engine updates, which seem to be coming between 1 and 5 times per day.  :o  Keep in mind, I think the demo is running off old update/engine as well... lol

When my 30 days is up, i'll be buying it i'm sure, unless I can make other arrangements with them. This AV product blows me away, plain and simple, i've never seen heuristics this advanced, even with CommandAV.  At the very LEAST, this will be my backup scanner.  They have emailed me a name of a US distributor, i'll be calling them tomorrow for more info, and pricing.

PS: AVK isn't fooled by any mail bombs either.
« Last Edit: June 17, 2004, 05:46:40 AM by Kobra »