Detection rate comparatives about CIS and 3rd party final AV products by darcjrt

darcjrt · January 19, 2009, 11:20pm

This is simple heuristics test.

PC with 1000K+ malware and scanned with CIS beta with heuristics on High and AVIRA free with heuristics on high

Results are clear. Avira has a huge DB. However CIS database is a test DB. Heuristics did a fair job being beta and unfinished.

How was it done?
I collect malware…yes I do(I am fascinated by malware and how they work)! Anyway…I installed rogues, rootkits and other malware on this XP SP2 unpatched VM.
Then I created a clone and scanned with CIS beta and Avira free. Simple.

Results are attached on text files. Results are not what I expected as Avira has a huge DB!!! so I was supposed to be CIS heur vs Avira heur but Avira detected over 1k based on sigs and 7 or 8 with heur module.

See for yourself.

I cant wait for this version of CIS to come out of the beta to test it with a real DB!!! and a finished Heur!!!
GO COMODO!

PS. Why two COMODO results?? Well, the PC is so unstable that I did not have internet so I scanned with DB version 1. Then the PC got mote stable and updated to 301 and scanned again!!! On the second results the only heur detected are FPs.

EDIT: Just for the records. I am not affiliated with any testing company. I’m just a home user with some time to spare!

[attachment deleted by admin]

darcjrt · January 20, 2009, 12:20am

Now this is a scan with CIS 3.5.57173.439 database definition 937

Attached image and result file

[attachment deleted by admin]

darcjrt · January 20, 2009, 2:03am

I just scanned the same VM with a-squared free and it detected 900+ but, including traces(shutcuts and stuff)…and more important it messed up the PC. It wont boot because it deleted explorer.exe for some reason!!!
So sadly I cannot post results here cause I dont have access to the PC, not even via Command prompt…SAD!!

So my 2 cents.

High detection rate determines whether the AV is good or not. An AV that can detect lots of malware on a PC is considered good and also that can clean the PC.
CAV cant do that as Avira, KAV, NAV or any other “branded” AV. Lets be realistic.

However, CAV is really young. It just had heuristics added(not finished) and COMODO is releasing tons of sigs every day. So CAV has a really long way to go…like 6 more months…LOL(Melih said so).

So, what about CIS. Is it good? Well…I consider CIS the best security suite out there. Why?? It all falls under the new Melih’s law of security…Prev, Dect, Cure.
CIS is excellent to keep your clean PC…clean!!! That is a fact.

Now, again, as a chef I must say this. The quality of a meal is measured by how hard was to find food. How much effort and love you put in when cooking and the presentation of the meal!!

As a programmer, good software is measured by how much effort you put during the analysis, design and coding. How much effort you put during testing and by how many people are willing to test the software for you in order to make it better.!!! And of course the presentation.

COMODO has every one of these! It is obvious how much effort the put on CIS(CAV, CMF, D+, Firewall…etc). And it is more than obvious how many people follow COMODO and are willing to help to make it better. And I really like the GUI!!!

CAVs has a journey to complete. CIS is already there waiting for it.

Keep up the good work. I hope Mods keep this open so I can keep posting results from other AVs and from CAV using new DB versions and stuff.

PS. My msg to Melih…COMODO has an excellent team. I remember when I use to command a army of 20 men coding 12 hours a day as an IT Manager for 3 years. Keep them happy as they are. Keep them doing the great work they are doing…just keep them!!
HATS OFF!!!

darcjrt · January 20, 2009, 3:27am

Avast findings.

[attachment deleted by admin]

SecurityAdvisor · January 20, 2009, 5:34am

Thanks man. Interesting to see Comodo is doing pretty well although it is only a alpha version

Melih · January 20, 2009, 5:59am

Thank you darcjrt!

(Also thank you for your kind words!)

Melih

rejzor · January 20, 2009, 7:49am

Again, packer detections ae bad thing and i seriously advise to make this thing optional and disabled by default unless you guys want to fail on all tests because of false positives and get your virus labs overflooded by FP’s.
Plus those ppl who know the stuff don’t exactly like packer detections. QuickHeal is using them for it’s DNAScan and it’s bad and no one really likes it. SOPHOS is also using aggresive packer detection, causing loads of false positives (besides, it’s meant for corporate environments anyway where you don’t expect anything to be packed at all).
Same goes to Fortinet which is meant for gateways. But for home usage, this is really bad practice.
Sure you get impressive results but also impressive problems. You should not just stop at detection but also think a bit further…

darcjrt · January 20, 2009, 2:49pm

Results CIS 439(not the beta) database version 939
308 total found. 24 more than DB 937.

[attachment deleted by admin]

Yaraslau · January 20, 2009, 3:55pm

Crying results…

nizarawi · January 20, 2009, 8:57pm

bad result !!

SecurityAdvisor · January 20, 2009, 9:06pm

Why bad? It’s only on heuristic engine? I think it is a great result

Breen · January 20, 2009, 9:44pm

Well comparing version 439 to avast( comodo-over 300 detected malware, avast over 900) it is not good result, but as we know, some people tested stable version of CIS on different malware package and detection rate was over 90%. darcjrt will send undetected malware to comodo research.

SecurityAdvisor · January 20, 2009, 10:32pm

Avast uses signature database. The beta DB is a fake one. So only heuristics are being tested

system · January 20, 2009, 10:35pm

When CIS Beta (3.5.6x) goes final, the numbers will be improved alot As SecurityManic said, Current DB in the beta is only a test one and heuristics are still improving… So for any serious testing, wait for the final version to be out then test.

Cheers,
Josh

Breen · January 20, 2009, 11:03pm

Maybe beta has database for testing heuristics but not the version 439 that was compared with avast.

We are looking forward to test stable version with new engine and much bigger malware database

panic · January 20, 2009, 11:25pm

Nope. If it was tested using DB439, then it’s not the BETA version and doesn’t have heuristics. This is a straight forward signature test.

Ewen

fazio93 · January 21, 2009, 12:21am

COMODO’s AV is still young, and besides, D+ can catch more malware than all the AV’s tested on this whole thread combined.

darcjrt · January 21, 2009, 12:30am

The first post was heristics test(beta version).

the following posts is not the beta version. Is the commercial 3.5.57173.439 Db 937 and 939. And I will keep posting results as the DB grows as I am submitting every single piece to COMODO!!! Over 1k EASY!!!

rejzor · January 21, 2009, 12:30am

Yes, only if user knows what he is doing. Most of ppl just click Allow anyway regardless…

fazio93 · January 21, 2009, 12:43am

At least there’s a 50/50 chance they’ll pick block rather than have a 0/100 chance when the AV doesn’t detect it at all.