VB100% июнь 2008

[Иван 290]

в таблице результаты тех, кто участвовал. остальные не участвовали.

не получили VB100%: Аваст, Касперский, Доктор Веб, F-Secure, F-Prot ну и мелочь всякая

напомню, что продукт получает VB100% если у него 100% на коллекции Wildlist (1й столбец) и нет фолсов (последний столбец), все остальные столбцы просто так, видимо для общего развития

Доктор Веб не получил потому, что не взял 16 Wildlist самплов и 3 раза сфолсил

Касперский потому как 1 раз сфолсил.

при этом ВирусБастер и AVG, которые не взяли кучу самплов из неWildlist коллекции, VB100% получили. Я радуюсь таким тестам.

ну да забыл, у Eset как всегда в тестах VB100% результат 100%. и почему у него в других тестах так не получается? вон в тесте Клементи у него 7 фолсов, да и это была веселая история http://www.wilderssecurity.com/showthread.php?t=210120

[alexgr 556]

потому что затачивается под эти тесты. Еще интерснее, что в жизни у них еще хуже, чем в тестах. Например,, у контактников.....

[Иван 290]

в том же выпуске VB опубликован материал AV-Test.org на тему лечения активного заражения

вот выдержки:

System cleaning: getting rid of malware from infected PCs

2008-06-01

Maik Morgenstern

AV-Test.org, Germany

Andreas Marx

AV-Test.org, Germany

Editor: Helen Martin

Some test results

In this section we will present a few small-scale test results, which illustrate some of the common problems encountered but also show that some products are able to handle the system cleaning task successfully. These results have been published in the German ComputerBild magazine [4].

The test was carried out at the beginning of 2008 on Windows XP (32-bit, SP2) and the products (in their most current versions) were updated and then frozen on 7 January 2008. The test was carried out as described above.

The results presented here are from tests run against five samples taken from the then-current WildList – meaning that signature-based detection of the original sample should be guaranteed. There were three rather easy ones: Win32/Rbot!FB26, Win32/Spybot!ITW203 and Win32/Stration!69F2, as well as Win32/Feebs!8897, which uses rootkit techniques, and Win32/Rontokbro!E517, which tries to terminate AV software. The behaviour of the latter two samples complicated the cleaning process for some of the products.

Table 1.

While all products were able to detect the malware samples in an inactive state, there were some problems when they were already installed and active on the system. G DATA and BullGuard failed to detect the Win32/Feebs!8897 infection due to its use of rootkit technologies and were consequently not able to clean the system. All the others were able to detect and disable this threat, however only Kaspersky and Norton achieved full removal. The remaining products didn’t handle the ‘ShellServiceObjectDelayLoad’ registry entry that was used to restart the malware on reboot and could possibly cause false positives if not removed.

The other problematic sample was Win32/Rontokbro!E517, which terminated seven out of the ten tested AV products or prevented them from scanning. Only BullGuard, Kaspersky and Norton were able to deal with the sample and disable it. However, there were still some problems. The malware disabled the editing of the registry with the ‘DisableRegistryTools’ entry and none of the products dealt with this. While it is perfectly understandable for this entry not to simply be set back to the default value – which would allow editing of the registry again and may be different from the pre-infection state – it is not clear why this change was not reported to the user. An analysis of the sample in the lab certainly detected the change and it is also safe to assume that most users do not prevent access to their registry. This makes it pretty clear that the disabled registry would in most cases be the result of the malware behaviour and should therefore be reported.

Another issue was the modified hosts file. The Norton product did clean some parts of it, especially those that affected Symantec addresses, but it left a lot of other bad entries. The other two products that were able to handle this sample simply moved the file into the quarantine. While this effectively disables the malicious intent, it also removes user entries that may be necessary for the system to work as expected.

The other samples didn’t pose any serious problems to the AV products: the Win32/Rbot!FB36 sample challenged BitDefender, BullGuard and F-Secure a little with its run registry entry that was left behind by these products, but Win32/Spybot!ITW203 and Win32/Stration!69F2 were both handled effectively by all products.

[Олег Гудилин 95]

Все же технари особые люди, более правильные и честные, чем мы маркетологи.

The Virus Bulletin tests are real, and they do have some value *if* you understand what the tests mean.

.............

More often than not it seems that the researchers at the antivirus companies are completely at odds with sales and marketing. What has been fun for me is that when I present at trade shows and other venues and ‘in the wild’ is mentioned I can explain exactly what that means to people. Yes, I actually tell them that a VB100% award does not mean a product detects close to everything that is out there.

Randy Abrams

Director of Technical Education

ESET LLC

http://www.eset.com/threat-center/blog/index.php

Тесты, проводимые журналом Virus Bulletin, реальны, и их результаты имеют определенную ценность, *если* вы понимаете, каков их смысл.

.....................

Часто создается впечатление, что антивирусные эксперты в антивирусных компаниях совершенно не могут найти общий язык со службами продаж и маркетинга. Мне нравится, что, когда я выступаю на отраслевых выставках и других мероприятиях и упоминаются вредоносные программы «в дикой природе» (in the wild), я могу точно объяснить людям, что это такое. Да, и я в самом деле говорю им, что получение награды VB100% не означает, что продукт обнаруживает почти все вредоносные программы, какие только есть.

Randy Abrams

Director of Technical Education

ESET LLC

[Иван 290]

гы гы, гы гы

[zanuda 35]

Eset попса, как он берет VB100, вероятно, интересная будет история...

сколько им не искал - всегда в третьей очереди оказывается... прямо природный феномен! :-)