39 ответов в этой теме

[Blackcat]

On-demand scanner has been tested by Emsisoft; http://www.emsisoft.com/en/software/scanner/

Taking into account that this is a vendor's test, DW is still down towards the bottom of the heap.

Any comments?

[Dr33]

Clam Free
Comodo Free
AVG
have a better detection rate than Dr Web indeed this is a bad thing, but i still use Drweb http://forum.drweb.com/public/style_emoticons/default/rolleyes.gif but wish to see better results in tests

[SergM]

The reasons there:

All scanners had to scan our Malware collection, consisting of a total of 39,332 dangerous files. In accordance with the current usual distribution of threats, the test set consisted mainly of Trojans/Backdoors, Worms and Bots but also included all other types of Malware such as Viruses, Spyware, Adware, Rootkits, Keyloggers, Dialers, etc. All detected files were deleted in order to find out how many samples remained undetected.

Thees settings is't check by default. IMHO.

[ArD]

After an in-depth analysis some files were rated as harmless in the meantime.

btw, without information about scanner settings and without access to the samples, one can only guess the reasons for such results.

There are a lot of files that can be infected but they'll be harmless for some reason. For example an infected executable file that has some bytes added at the beginning of the file.
Dr.Web won't detect this file as infected - 'cause it's harmless and is not executable in fact. But if you remove this bytes - that file will be detected and cleaned from infection. Most anti virus vendors don't go so deep and detect all the crap that they've found.

Another interesting thing - how many files can be cured from that collection, but not simply deleted. One thing is to detect and delete infected file, another thing is to detect and cure that file, especially if it's a system one. http://forum.drweb.com/public/style_emoticons/default/smile.png

[Dr33]

with that point of view many antivirus should just ignore a lot of malware because the file has been modified [wrong]

if infection cannot be cleaned the important thing at first is to detect and put it in a safe vault then user will see what to do

if it is a system file and cannot be cleaned is a diferent story

if you modify some kind of malware and AV let it pass because it is not harmfull another piece of that malware can mutate the file and you get infected so i dont think its a valid option

so just to put all effort to clean a file is not as important as protect user from more malware

[Dr33]

by the way i am a happy costumer of DrWeb i just think it needs to put more effort in detection

[C.S.J]

It stands to reason that our own in-house product will produce the best detection rate against our own Malware samples

id like drweb to do a similar test and post their results,

Drweb would be #1, and im sure many of the big boys maybe would not be when using drwebs samples.

i see this test as nothing but propaganda, especially when the company in question give so many False-Alarms, which i doubt many people would question, i also doubt if they knew whether to take them out of the test, as their FP rate only took 0.01% off their sample test, with their 'in-depth' analysis of their own samples. http://forum.drweb.com/public/style_emoticons/default/laugh.png

nobody really believes this, surely?

over the past few weeks, ive been trying, testing and doing some analysis myself (see the renewal thread for reasons why) and im pretty confident a renewal of drweb will happen, while not perfect, drweb is outstanding, it finds and removes threats that others simply do not, usually... they find but dont remove, infact... in some of my testing, a couple of the AV's would crash completely on such infections.

sure, their would be an argument over prevention is better than detection, hence my Prevx which is quite revolutionary in itself, i know of no software like it, only cheap imitations.

defensewall is probably the most secure piece of anti-malware available, i may renew that with Drweb as an ex-customer...... but at the moment, ive very happy with my Prevx and Drweb combo. http://forum.drweb.com/public/style_emoticons/default/smile.png

[Blackcat]

over the past few weeks, ive been trying, testing and doing some analysis myself (see the renewal thread for reasons why) and im pretty confident a renewal of drweb will happen,

Good news for Dr Web English users and for this Forum.

defensewall is probably the most secure piece of anti-malware available, i may renew that with Drweb as an ex-customer...... but at the moment, ive very happy with my Prevx and Drweb combo. http://forum.drweb.com/public/style_emoticons/default/smile.png

I have licenses for all 3; CPU time is the killer for me with DefenseWall and my computer is definitely heavier with it installed.

So I have sacrificed some protection for the lightweight duo of DW and Prevx.

[risl]

Well..

I've sent around 16 malware files before I went to France for a week. After I come back: only 1 file is detected as Trojan.Muldrop.31314. .. And today I received a reply for a ticket from 01/01/2009 that the file I sent was not a threat.

Unsolved ticket numbers and dates:

03/26: 834653
03/27: 839847
04/13: 854162 (archive containing 8 files)
04/16: 858031
04/24: 867060
04/26: 867370

We exchange some malware links at one Finnish anti-malware community just for testing purposes and we send the files to AV-vendors. But I must be honest and admit that if I download for example, 10 files.. probably one or two is detected and almost 1 out of 20 files is detected by any heuristic methods despite the "origins tracing" and "heuristic analyzer." The detection percentages seem to be very low or somehow I manage to have "bad luck."

All of these are ITW-viruses because they are downloaded from real web pages, not some virus exchange forums/collections and so on. The latest was hxxp://put.ghura.pl/***.exe

.. I put hxxp and *** to the link to not make people download real malware.

[SergM]

04/13: 854162 (archive containing 8 files)

Look this topic - it's the words of a virus analyst.

Faster: one virus - one inquiry.

http://forum.drweb.com/index.php?showtopic...20&start=20

[ArD]

with that point of view many antivirus should just ignore a lot of malware because the file has been modified [wrong]

What do you mean by saying "modified"? If you modify the infected part of the file then you'll get a new malware (generally speaking). But if you add some bytes only at the beginning of the executable file you'll get just corrupt (harmless) executable that you won't be able to run and infect (or do something wrong to) your system.

if infection cannot be cleaned the important thing at first is to detect and put it in a safe vault then user will see what to do

For many other A/V vendors if the virus detected but cannot be cleaned now, also means that it won't be cleaned ever. It's not good to keep a half of a disk in quarantine.
And most of the users don't even know what to do with files in quarantine.

As for Dr.Web if the malware can be detected than it would be cleaned.

if it is a system file and cannot be cleaned is a diferent story

btw. this story happens at least a hundred times a day around the world...

if you modify some kind of malware and AV let it pass because it is not harmfull another piece of that malware can mutate the file and you get infected so i dont think its a valid option

Dr33 you didn't get it right. In my previous post I wrote that if infected file is broken and can not do any harm to your system than it's not detected. If that infected file will be reverted back to its working condition (by some other malware or program or by any other means) than it would be detected and cleaned.

so just to put all effort to clean a file is not as important as protect user from more malware

Just get infected with some file infecting virus and you'll change your opinion. http://forum.drweb.com/public/style_emoticons/default/smile.png Just kidding.
Seriously speaking, Dr.Web team puts a lot of effort in both of this directions. But if other vendors think that to detect infected file is enough, Dr.Web guys trying to clean everything that can be cleaned.

[risl]

Cleaning or restoring an infected system is excellent, but it's still a cold and pure fact that no infection would happen if the file is detected as malicious in the first place and therefore infection is prevented. The system should never get to the state where curing is necessary.

Everyone is hoping that Dr.Web would improve in this because majority of the tests suggest that Dr.Web is behind others and some crappy open source scanners and similar are scoring better.

[ArD]

Cleaning or restoring an infected system is excellent, but it's still a cold and pure fact that no infection would happen if the file is detected as malicious in the first place and therefore infection is prevented. The system should never get to the state where curing is necessary.

Tell me the name of the antivirus with 100% 0-day detection rate and I'll agree with you.
We live in a real world and A/V vendors will always lack behind the malware authors. Even with all such things as HIPS, heuristics etc. http://forum.drweb.com/public/style_emoticons/default/sad.png

Everyone is hoping that Dr.Web would improve in this because majority of the tests suggest that Dr.Web is behind others and some crappy open source scanners and similar are scoring better.

In fact majority of the tests don't reveal the real situation on A/V detection rates.

[risl]

Ofcourse there isn't a 100% soluton and probably never will be. Cars are tested with dummies and they get a euro NCAP safety ratings. The crash tests don't reflect the real world but still car manufacturers take the tests seriously and try to get maximum points.

Anyway, what I'm trying to say is that others manage to achieve better detection rates than Dr.Web and I still haven't found a decent argument or an explanation why this happens almost all the time, with few exceptions(russian tests). Even companies smaller, less experienced and probably with less talented programmers receive higher ratings.

It would be nice to know what is the real reason for this, not just the plain old "tests are not real" argument.

[userr]

Hi!

We exchange some malware links at one Finnish anti-malware community just for testing purposes and we send the files to AV-vendors.

How exactly do you send the files to Dr.Web?

The detection percentages seem to be very low or somehow I manage to have "bad luck."

"Very low" in comparison to what? I think it would be interesting and stimulating for Dr.Web virlab http://forum.drweb.com/public/style_emoticons/default/smile.png if you post here on the forum (start the separate topic, pls) some virustotal results for malware, recently found by you & your friends. And ticket from Dr.Web virlab, of course.

[risl]

I submit the samples through the website http://vms.drweb.com/sendnew as "suspicious files". I mean the detection rate is low in comparison to how many new links we found - how many of them are detected after I download the file/scan it.

here are some examples:

http://risl.codename.fi/drweb/pha.JPG - #875556
http://risl.codename.fi/drweb/socksbot.JPG - #867370
http://risl.codename.fi/drweb/codec.JPG - #865143
http://risl.codename.fi/drweb/install2004.JPG - #867060
http://risl.codename.fi/drweb/bebushja.JPG -#858031

Currently I have 14 files that are undetected even though I've sent them. There are less tickets because I sent one archive containing 8 files. I'll make a specific topic for these if someone from the staff finds it useful.

[C.S.J]

I submit the samples through the website http://vms.drweb.com/sendnew as "suspicious files". I mean the detection rate is low in comparison to how many new links we found - how many of them are detected after I download the file/scan it.

here are some examples:

http://risl.codename.fi/drweb/pha.JPG - #875556
http://risl.codename.fi/drweb/socksbot.JPG - #867370
http://risl.codename.fi/drweb/codec.JPG - #865143
http://risl.codename.fi/drweb/install2004.JPG - #867060
http://risl.codename.fi/drweb/bebushja.JPG -#858031

Currently I have 14 files that are undetected even though I've sent them. There are less tickets because I sent one archive containing 8 files. I'll make a specific topic for these if someone from the staff finds it useful.

i completely agree with risl on the submission system, and i dont think it would help the situation just to ignore it, Drweb need to recognise it, stand up and be counted for, its about time dont you think?

here are some strong words from yours truly about it:

The Submission system needs to be scrapped, or re-programmed to create a simple use of adding and detecting these samples that customers submit, it does not work (sometimes it does), and 90% of the samples do not get added, replied to and probably forgotten about, this is fact, and drweb should not dismiss these words,

possible arguments against it would be they dont have the time and resources to add and check all submitted viruses, but im sure, 100% sure, that Drweb could complete this part more effectively if they just tried.

as for detection rates and tests, i dont believe these tests to be true, lots of flaws and dodgy testing going on, im sure. I believe that drweb is a good 92-95% anti-virus

but...

improvements could and SHOULD!! be made, they can do it, they have the tools to do it, yet they dont?, and like all anti-virus vendors, they need to improve their adware/spyware detection.

these are my opinions, i believe them to be true, and the time has arrived that Drweb need to admit it, fix it, and continue to improve its product.

by ignoring it (customers and staff),it will never get fixed, and this will not help anyone in the future. http://forum.drweb.com/public/style_emoticons/default/blink.png

I do question Mr. Daniloff's priorities in these 2 querys ive posted above, but of course, a single customer has no voice.

[Dr33]

i think we need to learn russian to get more attention.
i like DrWeb i just think they can improve a lot by doing just little.

[Blackcat]

It cannot be coincidence that the two vendors who recently pulled out of av-comparative testing were Dr Web and Frisk; small AV vendors who still add malware signatures by hand. So it was not surprising that Dr Web were generally always the slowest in adding the "missed" samples for the next test.

Eset are also renowned for their slow signature addition but they have concentrated from day 1 on excellent heuristics and ensured that they always pass Virus Bulletin. Good PR for the average Joe to look at.

Because of the deluge in malware in the last few years most anti-malware companies to-day automate the vast number of their malware signature additions to the database. Until Dr Web consider this or improve their heuristics dramatically they will always be a 2nd/3rd tier AV in terms of detection by the main AV-testing sites.

But if you run a layered defense with DW, then you can balance the loss of detection against the excellent performance in real-time.

In addition because of their small size, they will obviously concentrate on their Home market malware detection and therefore malware from further afield geographically may receive lower priority.

Just some thoughts.

[risl]

You have good points http://forum.drweb.com/public/style_emoticons/default/smile.png

The problem in my opinion is: Dr.Web and Frisk are small, but there are smaller companies that score better.

Dr.Web has introduced new heuristic methods but somehow they seem a bit ineffective in tests. No noticeable improvements in detection percentages.

If I understood correctly, there is some kind of automatic ticket resolver working under Ilya Georgievsky's account. You can see "him" adding signatures 24/7 in live.drweb.com. I have also received some replies to samples from the automatic resolver and there are lines "your ticket was solved by automatic system" and "however, if dr.web still doesn't detect it, please do this and that .."

No idea if they are trying to automatize it or not.