CAVS tested on http://www.av-comparatives.org/

We volunteered for CAVS to be tested by http://www.av-comparatives.org/ to see its 2nd line of defense (Detection). CAVS 2 came out around 42%, v1 was 27%.

Why did we volunteer:

Well,
1)We got nothing to hide from our users, good or bad!

2)We care more about prevention than detection! Afterall CAVS 2 stops more malware than all the other AV’s can detect :slight_smile: so we are happy that we are protecting our users and not charging them for a product that we know that will definitely fail when the next new malware hits the streets.

3)Even though detection is 2nd line of defense in our architecture, we still want everyone to see how we will improve slowly but surely in that area and will become one of the best.

So, here we go… lets see what tomorrow brings :wink:

Melih

Well, that’s certainly different then the 77% we got.
:stuck_out_tongue:

Regardless, the prevention line is still good.

Just a question?
What are the parts if the prevention line?
HIPS and Heuristics?

the percentages all depend on the malware samples you have!

Prevention= HIPS
Heuristics=Glorified Signatures, hence still detection.

Melih

The HIPS is supposed to ask you before you run a program, right, excluding programs in the safelist? That doesn’t really add any “prevention” because if it’s not in the definitions or caught by the heuristics, then the user won’t know it’s malware. And, if all it does is catch executions, it doesn’t really help because the user wouldn’t have downloaded it in the first place if they knew the file was malware. It’s more of an annoyance layer then a prevention layer.

Or am I misdefining HIPS?

valid point: however, that depends on how big your safelist is…

if you have a large enough safelist… then most likely, the only time you should see the warning from HIPS is when something is wrong…
Just ask yourself: how many times a day does an average user execute new applications on their machines ? not many! and if we have a big safelist…

its all about how good the safelist is…

Melih

But if all the safelist does is exclude items, then that still doesn’t serve any purpose. It would only serve to take up more space. You’re not supposed to run any program not on the safelist? What about some inconspicuous SourceForge program that’s buried on page 283 but still serves a great purpose? Normal user won’t know to submit, they’ll just randomly scream “OMG MALWARE”. Also, I don’t see any instruction in CAVS on that’s what you’re supposed to do, if it is. And if you’re not, then, again, what is the point of HIPS?

Well, there will always be exceptions to the rule.
Today, users don’t have a way of saying: Hey only run legitimate stuff on my machine! nothing else pls! CPF v3 will give that to them.

Will there be some files not in the safelist… of course there will be… is this a good enough reason not to offer this protection to the masses of course not.

CPF v3 is about: “only allowing good” rather than “allowing everything then trying to detect bad”

Melih

The last sentence is a great concept but it uses a flawed means of getting there. Instead of adding what is essentially a panic layer, annoyance layer, and bloat layer why not use your awesome technology to make the best heuristics in the world? HIPS seems old-fashioned and ineffective compared to a technology that could analyze behaviour.

Heruistic is nothing but a glorified signature!

Malware authors test their malware on AVs including heuristics. Then they tune it up to make sure they are not caught.

Maybe you can explain why you think HIPS is flawed. The concept of “Allow only good” is very valid and very real in everyday life, so would love to hear your opinion about why this is flawed.

thanks

Melih

Regardless of how advanced heuristics is, it’s still a form of blacklisting and can only go so far. This means there will always be that missing gap in the wild.

Before I explain why I think that (yes, I do have one), may I ask you a question?
The whole idea of the HIPS is essentially don’t run any program not on the safelist? Is that what it essentially boils down to?

its about controlling resources that could cause damage.
eg: if Uranium is a resource that could be used against us, then it should be well controlled and we shouldn’t allow access to anyone unless authorised.

The only way a malware could do damage is if they get CPU time and execute some code.
so, by only allowing safe ones execution privilige you mitigate risks of malware causing damage.

Melih

So we should expect better on the Retrospective/Pro-Active test? If you guys “volunteer” again.

we will always take part in the above and yes we will continually improve…

But do you really care about how many % gets detected or how many % you are protected from?

Melih

I care about how much malware is on my system. So if the % is 0 I don’t care how I’m protected.

so when you clean your machine install CAVS 2 then you will be a happy chappy!

Melih

Yeah but when someone installs an AV it’s usually to stop infections already on a machine. I realize this is a beta, but I’m just saying. Detections will be important later.

Sure of course. However, there are many one off scans one can do. Once you have done this one off scan and install ours… then you are good to go…

however, of course we will improve our detection. We do intend to be one of the best in the market place… its just matter of time.

Melih

Okay so it is about half as good as Antivir etc. I think you guys shouldn’t call yourself antivirus or antispyware, kind of misleading.

2)We care more about prevention than detection! Afterall CAVS 2 stops more malware than all the other AV's can detect :)

Cos you throw up a silly prompt whenever something is not on the safe list? LOL. I don’t need Comodo for that.

True.

Maybe you can explain why you think HIPS is flawed. The concept of "Allow only good" is very valid and very real in everyday life, so would love to hear your opinion about why this is flawed.

Default deny is good yes. Enumerating badness is not a good idea yes

However , in this case, where there are almost as much good as there are bad, I’m not too crazy on the idea of trying to enumerate all the good.