Перейти к содержимому


Фото
- - - - -

Some considerations


  • Please log in to reply
13 ответов в этой теме

#1 positiveday

positiveday

    Newbie

  • Posters
  • 9 Сообщений:

Отправлено 11 Октябрь 2016 - 13:12

Hello, I've evaluated Dr.Web one month on my Windows PC.

I've found two points that could be enhanced and that prevent me to purchase the license.

The first one is the big amount of false positives.

When DrWeb find a generic encrypted/obfuscated installer it marks as trojan or downloader or somewhat similar.

An antivirus that marks all as potential virus/trojan seems that could have problems in real time protection.

Just as example it's a behaviour totally different from Webroot that permits presence of some virus or issues on hard disk and that is able to avoid infections when they runs.

 

The other feature I find almost not "smart" (and useful) is the SSL inspection functionality.

If I enable this feature ALL SSL communications are intercepted from DrWeb.

Obviously there is a BIG difference intercepting an email client that connect to an email server (the same any time) where to accept an SSL exception one time certificate is acceptable.

Another thing is to intercept https connections forcing users to accept man-in--the-middle certificates also for banking or payment websites.

I will never enable ANY software to analyze data that flows from my browser and my bank website, so I (and I'm sure also many users) keep disabled the SSL filtering due to the https presence (very strange function).

Filter SSL connections has a meaning in email messages that are the FIRST source of virus diffusions, but filter https connections it's the first time I find on a Desktop software and also on corporate firewalls.

So I suggest to create two separate switches for SSL filtering, one for email connections and one for https connections.

 

Apart for these two points I think that DrWeb is a very complete software very well done.

Actually I've paid licenses for Norton Security Deluxe, Webroot, BitDefender, Bullguard so I'me not so pressed to purchase another license.

But I will monitor DrWeb in future because I think that one of most interesting products in this field.

 



#2 Konstantin Yudin

Konstantin Yudin

    Смотрящий

  • Dr.Web Staff
  • 17 105 Сообщений:

Отправлено 11 Октябрь 2016 - 20:37

1. Proofs please
2. SSL intercept/mitm must die in all AV products :)
With best regards, Konstantin Yudin
Doctor Web, Ltd.

#3 Mr.Pr

Mr.Pr

    Member

  • Posters
  • 251 Сообщений:

Отправлено 12 Октябрь 2016 - 14:59

i'm compeletly disagree with your first point ! :)

 

and i have no idea abotu second one . :rolleyes:


“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,”  - Boris Sharov

 

DrWeb Gallery for your Avatars: Click

My Telegram ID: @MrlPr

 

Best Regards,

Parham


#4 positiveday

positiveday

    Newbie

  • Posters
  • 9 Сообщений:

Отправлено 14 Октябрь 2016 - 12:37

1. Proofs please
2. SSL intercept/mitm must die in all AV products :)

 

Hello, many thanks fo your authoritative answer.

About SSL on email scan I think that has no contraindications.

For example, BitDefender has a very transparent filtering, and a user must accept the mitm certificates only one time.

The reason to filter SSL email is due two reasons, the first is that now all decent email servers uses SSL and the other is that email is the first channel for virus diffusion.

I know that after a SSL interception of attached virus, an antivirus software should be able detect zero day issues, and this is all another thing.

BitDefender or AVG check SSL email connection but have a very poor ability to detect (also using euristic) zero days issues.

 

About false positives of DrWeb scan I'm sure you don't need proofs. I'm sure you have a lot of statistics on this matter.

Consider that many virus were obfuscated with common obfuscators (Eazfuscator, Obsfuasm) and all programs obfuscated with these tools get the same ID of the virus that was obfuscated one time.



#5 sergeyko

sergeyko

    Guru

  • Dr.Web Staff
  • 3 785 Сообщений:

Отправлено 14 Октябрь 2016 - 13:29

I'm sure you have a lot of statistics on this matter.

That's right. And we consider our false positives rate as quite low. That's why we need some proves if you claim we are wrong.  


Sergey Komarov
R&D www.drweb.com

#6 positiveday

positiveday

    Newbie

  • Posters
  • 9 Сообщений:

Отправлено 19 Октябрь 2016 - 18:46

Hello, two examples from my disk D:

https://virustotal.com/it/file/5c9c6948db2b3b57c4e5daa6c175ead5cf88a6f6fcb3496620374f9a8b23af6c/analysis/1476891639/

https://virustotal.com/it/file/5c9c6948db2b3b57c4e5daa6c175ead5cf88a6f6fcb3496620374f9a8b23af6c/analysis/1476891639/

 

The executable hardwareid is a mine software obfuscated.

:)



#7 positiveday

positiveday

    Newbie

  • Posters
  • 9 Сообщений:

Отправлено 19 Октябрь 2016 - 18:55

This is the explorer.exe of Windows95 : https://virustotal.com/it/file/b703a69704c5154ecf264abc1489738b9c485ed750f2244339ec74f9cb6230ab/analysis/1476892394/



#8 positiveday

positiveday

    Newbie

  • Posters
  • 9 Сообщений:

Отправлено 19 Октябрь 2016 - 18:57

This is an old .exe I wrote in PowerBasic some years ago : https://virustotal.com/it/file/423df17104e5e8e64512c88e3afa335409ad2d096bc48a7c005e215c2509d155/analysis/1476892251/



#9 positiveday

positiveday

    Newbie

  • Posters
  • 9 Сообщений:

Отправлено 19 Октябрь 2016 - 19:56

This is a dll of Asus AI suite : https://virustotal.com/it/file/a2ef296c9b51ad03f683851ef07f0a5f122d7aa75fbc4850ab116c289490a947/analysis/1476896132/



#10 pig

pig

    Бредогенератор

  • Helpers
  • 10 486 Сообщений:

Отправлено 19 Октябрь 2016 - 19:59

Send your samples here: https://vms.drweb.com/sendvirus/?lng=en
Почтовый сервер Eserv тоже работает с Dr.Web

#11 positiveday

positiveday

    Newbie

  • Posters
  • 9 Сообщений:

Отправлено 19 Октябрь 2016 - 20:15

Hello, many thanks, I will send to that address.



#12 positiveday

positiveday

    Newbie

  • Posters
  • 9 Сообщений:

Отправлено 02 Ноябрь 2016 - 00:28

Just as un update of my test of DrWeb Security Space.

I've purchased two license and I'm using the software.

It works very well, I think that DrWeb Security Space is perhaps the best AV + Firewall suite actually on market.

I will do possible to promote DrWeb to my friends.

I think to have compared most of security suites actually on market.

:)



#13 sergeyko

sergeyko

    Guru

  • Dr.Web Staff
  • 3 785 Сообщений:

Отправлено 02 Ноябрь 2016 - 13:12

Thank you for your kind words! That was quite... unexpectedly considering some considerations the topic had started with. :)
Sergey Komarov
R&D www.drweb.com

#14 positiveday

positiveday

    Newbie

  • Posters
  • 9 Сообщений:

Отправлено 19 Декабрь 2016 - 23:57

Hello, I continue here my considerations.

When I receive a virus from email I do normally two things.

The first is to verify if my (current) antivirus intercept it.

The second is to submit at virustotal the file in order to see what other antivirus know the threat.

In this days I'm still using Norton (I like to change sometimes), and the .js file named "invio documento per cliente generato 16-12-2016.js" was not recognized as threat.

After some minutes after receiving at virustotal.com only two antivirus were able to detect (Eset and Tencent).

I saw that DrWeb was not detecting the threat, so I submitted on 16 Dec the file to the DrWeb sendvirus online service.

The ID was : [drweb.com #7394794] Created: SUBMITTED VIRUS

Now three days are past.

On virustotal the score is of 17/54 : https://virustotal.com/it/file/869b81f0b25ba2cb5a4387d069875602ed419d35015ae00d8bf10f15ee0ba94e/analysis/1482179793/

But still now, Norton and DrWeb are considering the file as a safe java script.

I can understand Norton, that don't offer to customers the opportunity to submit suspicious files, but DrWeb has a dedicated service that .... sometime don't works.




Читают тему: 1

0 пользователей, 1 гостей, 0 скрытых