CAV3 detection rate test [2008.10.05] - 10.26% [CLOSED]

[Guest]

[solcroft]

To reiterate, my point was that if prevention is so hot, why is D+ using detection?

What happened to the "Prevention is 1st line of defense" catchphrase?

Just in case you guys miss my point again, I have nothing against D+'s malware heuristic feature. In fact, I think it should be expanded more. What I'm trying to point out is that prevention is nothing but an empty slogan that sounds good on paper, but in reality just pushes responsibility and shifts blame to the users. I find it dangerous that Comodo's salesmanship of this slogan is actually working: users praise Comodo if they know how to use D+, and blame themselves if they make a mistake. The antivirus and D+ malware heuristic badly need improving upon, and let's not use more "prevention" slogans to try to cover up that fact.

[Kyle]

That's another discussion for another thread. as the whitelist expands.. It won't be left on the user

[3xist]

To reiterate, my point was that if prevention is so hot, why is D+ using detection?

What happened to the "Prevention is 1st line of defense" catchphrase?

Just in case you guys miss my point again, I have nothing against D+'s malware heuristic feature. In fact, I think it should be expanded more. What I'm trying to point out is that prevention is nothing but an empty slogan that sounds good on paper, but in reality just pushes responsibility and shifts blame to the users. I find it dangerous that Comodo's salesmanship of this slogan is actually working: users praise Comodo if they know how to use D+, and blame themselves if they make a mistake. The antivirus and D+ malware heuristic badly need improving upon, and let's not use more "prevention" slogans to try to cover up that fact.

We would appreciate any ideas you have on improving D+. But pls create a new thread. Back on topic...

Josh

[Toxteth O'Grady]

Hey Toxteth O'Grady

Nice image of D+! As you can see... Prevention should be your first line of Defense! Do you mind sending me this malware?

Thanks
Josh

I think I send you a PM... Did you get it? If not, I'll email the files to you.

[3xist]

I got the links but they are advertisements and I think I need to log in.

If you don't mind emailing me the samples.

Josh

[Toxteth O'Grady]

I got the links but they are advertisements and I think I need to log in.

If you don't mind emailing me the samples.

Josh

No, these links are not just ads. It's a free hosting site, that's how they make money.   

You'll have to wait a few seconds before the download link appears. There is a counter (countdown) at the bottom of the page.

Never mind, I'll send an email. 



Edit:

email containing 4 samples sent.

[3xist]

No, these links are not just ads. It's a free hosting site, that's how they make money.   

You'll have to wait a few seconds before the download link appears. There is a counter (countdown) at the bottom of the page.

Never mind, I'll send an email. 



Edit:

email containing 4 samples sent.

Thx m8...

Got em.

Josh

[andyman35]

Well, that's a pretty amazing accusation, since if you actually read the links I provided you'll find out it's the AV industry who's pointing out that the WildList is obsolete. You make it sound like as though the industry is singing praises about the WildList, but I know better than them.
Live system, samples are not executed. Your first question makes no difference to the results, and the second is kind of a no-brainer.

My 'accusation' as you put it was that if you seek to elevate yourself to the definitive AV testing position,then a detailed appraisal of your methodology would be expected as a guide to your credibility.Certainly no insult was intended in that statement but you've made some strong statements that do need scrutiny.

As to my question on dormant or running malware it actually makes a huge difference in the real world if your tests are to be the new benchmark.Whether a particular AV detects a dormant sample may well be of passing interest,but in practical terms it's entirely irrelevant and that is the justifiable criticism of some other testing methodologies.What is  relevant to the performance of a security solution is it's ability to block/detect active,running malware in the real world.PC world have run a number of these type of tests which,although limited in number,have provided some useful results.

[Toxteth O'Grady]

Here is another example of an embedded malware that is not detected by many AV scanners, including CIS.
http://www.virustotal.com/analisis/82ab4566701d9f1f792cdddcdd48b019


However, D+ was effective once again.
http://img232.imageshack.us/my.php?image=setupul9.gif



After permission was denied, the file deleted itself, which was also detected here:
http://camas.comodo.com/cgi-bin/submit?file=d51720fe367d6966ce9a2b4ef71eb67ee49e4bd6022be32553e5fcea09220135

[solcroft]

My 'accusation' as you put it was that if you seek to elevate yourself to the definitive AV testing position,then a detailed appraisal of your methodology would be expected as a guide to your credibility.Certainly no insult was intended in that statement but you've made some strong statements that do need scrutiny.

"Definitive AV testing position"?

I merely stated a fact. If you think my statements need scrutiny, I've provided the relevant evidence to back them up. Perhaps your time would be better spent performing that scrutiny, instead of just talking about it but being too lazy to actually do it, being more interested in spouting uninformed opinions instead.

As to my question on dormant or running malware it actually makes a huge difference in the real world if your tests are to be the new benchmark.Whether a particular AV detects a dormant sample may well be of passing interest,but in practical terms it's entirely irrelevant and that is the justifiable criticism of some other testing methodologies.

Regurgitation of popular media buzzwords with an obvious lack of understanding what they mean.

A piece of malware is a piece of malware. Its code does not change regardless of whether it's active or dormant. Unless the on-access and on-demand scanners use different signatures and/or engines (which I'm pretty sure CAV doesn't), whether a piece of malware is active or dormant is irrelevant to detection.

Harping on the distinction between active and dormant malware is nothing but a technicality in this case, with no practical significance whatsoever.

[andyman35]

"Definitive AV testing position"?

I merely stated a fact. If you think my statements need scrutiny, I've provided the relevant evidence to back them up. Perhaps your time would be better spent performing that scrutiny, instead of just talking about it but being too lazy to actually do it, being more interested in spouting uninformed opinions instead.
Regurgitation of popular media buzzwords with an obvious lack of understanding what they mean.

A piece of malware is a piece of malware. Its code does not change regardless of whether it's active or dormant. Unless the on-access and on-demand scanners use different signatures and/or engines (which I'm pretty sure CAV doesn't), whether a piece of malware is active or dormant is irrelevant to detection.

Harping on the distinction between active and dormant malware is nothing but a technicality in this case, with no practical significance whatsoever.

What you state as 'fact' is merely hot air unless backed up by some form of framework.As to me being too lazy to run these tests some of us have a business to run and can't spend endless amounts of time on such trivia.

As to harping on about the distinction between active and dormant malware (didn't realise one mention is harping),if you can't tell the practical implications of the difference between them then you're a fine example of the old saying that "an ounce of common sense is worth a pound of knowledge"

A sandbox can prevent virtually all malware infections without being able to detect a single piece of malicious code,yet you ridicule Melih for his stating that prevention is better than cure.I'm beginning to think that your motivation is something other than a neutral observer.

Malware is only malicious when it's running when dormant it's merely code.The ability to prevent the former or detect the latter,which is important?

[solcroft]

What you state as 'fact' is merely hot air unless backed up by some form of framework.As to me being too lazy to run these tests some of us have a business to run and can't spend endless amounts of time on such trivia.

The evidence has been provided. I don't know if you're acting stupid, or are really stupid, or do not know how to click on the provided links, or are illiterate and do not know how to read English after clicking on those links. gibran read the reports, and replied with well-thought responses. Debating this with you, on the other hand, looks like nothing but an absolute waste of time. If you are unwilling or do not have the time to educate yourself on these matters so that you can produce informed opinions and arguments, please don't try to engage in debate.

Malware is only malicious when it's running when dormant it's merely code.The ability to prevent the former or detect the latter,which is important?

More regurgitation of media (or possibly Melih) hype with zero background knowledge and understanding.

Recognizing a program as "malicious" is something only a human being can do. Antivirus scanners have no such capability. They scan the code, and if something in it matches what they're programmed to look for, they identify the file as infected. Whether or not the file is active or dormant makes no difference to the scanner, because the code doesn't change.

I can't believe I'm explaining something this simple TWICE. Scanners identify files based on their code. Scanners do not and cannot care whether a file is malicious, or at what times is it malicious. All they can do is scan the code. Please get this into your head before you try to teach others about common sense - something you obviously lack.

[Star Shadow]

Here is another example of an embedded malware that is not detected by many AV scanners, including CIS.
http://www.virustotal.com/analisis/82ab4566701d9f1f792cdddcdd48b019


However, D+ was effective once again.
http://img232.imageshack.us/my.php?image=setupul9.gif



After permission was denied, the file deleted itself, which was also detected here:
http://camas.comodo.com/cgi-bin/submit?file=d51720fe367d6966ce9a2b4ef71eb67ee49e4bd6022be32553e5fcea09220135

Damn. AntiVir, Kaspersky, and NOD32 didn't detect that one. :O But AVG did. Just shows that you need multiple antivirus programs to stay safe in this world. << Though, D+ is great and it gave you that alert, would a uninformed user click allow or deny?

[LeoniAquila]

The evidence has been provided. I don't know if you're acting stupid, or are really stupid, or do not know how to click on the provided links, or are illiterate and do not know how to read English after clicking on those links. gibran read the reports, and replied with well-thought responses. Debating this with you, on the other hand, looks like nothing but an absolute waste of time. If you are unwilling or do not have the time to educate yourself on these matters so that you can produce informed opinions and arguments, please don't try to engage in debate.

More regurgitation of media (or possibly Melih) hype with zero background knowledge and understanding.

Recognizing a program as "malicious" is something only a human being can do. Antivirus scanners have no such capability. They scan the code, and if something in it matches what they're programmed to look for, they identify the file as infected. Whether or not the file is active or dormant makes no difference to the scanner, because the code doesn't change.

I can't believe I'm explaining something this simple TWICE. Scanners identify files based on their code. Scanners do not and cannot care whether a file is malicious, or at what times is it malicious. All they can do is scan the code. Please get this into your head before you try to teach others about common sense - something you obviously lack.

Please keep a friendlier tone or we will have to use the forum policy violation board.

LA

[Melih]

Recognizing a program as "malicious" is something only a human being can do. Antivirus scanners have no such capability. They scan the code, and if something in it matches what they're programmed to look for, they identify the file as infected. Whether or not the file is active or dormant makes no difference to the scanner, because the code doesn't change.

I can't believe I'm explaining something this simple TWICE. Scanners identify files based on their code. Scanners do not and cannot care whether a file is malicious, or at what times is it malicious. All they can do is scan the code. Please get this into your head before you try to teach others about common sense - something you obviously lack.

Guys your valuable efforts will go nowhere! Cos the intention that solcroft has is not about learning but putting Comodo down. Its as simple as that! Lets concentrate on people who need help rather than trolls who come here with ulterior motive to bash Comodo.

Lets declare this topic "DO NOT FEED THE TROLL ZONE"

Melih

[Tags:]