Huge samples collection

latest Kaspersky Internet Security 7.0 (freshly downloaded from official website) with latest signatures and maximum heuristcs:

Not-a-viruses detected: 114/116 (~98%)
Worms detected: 2336/2350 (~99%)
Viruses detected: 23545/23573 (~99%)
Other malware detected: 1993/2053 (~97%)

Overall detection: ~98%

note that i don’t work for Kaspersky Labs, i use NOD32 in fact :-)))) KAV is great but it’s also slow (i mean SLOW AS HELL!!!)…

some info regarding these 9000+ trojans… these files:

Backdoor.Win32.DSNX.02 Backdoor.Win32.MoSucker.06 Backdoor.Win32.Knightseven.10 Trojan.Win32.Avkillah.10 Trojan-Downloader.Win32.IED.11 Trojan-Dropper.Win32.MultiJoiner.16 Backdoor.Win32.Wow.23 Backdoor.Win32.NerTe.77 Trojan.DOS.Ra.574 Backdoor.Linux.Cyrax.a Backdoor.Linux.UDP.a Trojan-Notifier.Win32.OptixPager.SE.a Trojan.FreeBSD.RootKit.a Trojan.Java.ClassLoader.Dummy.a Trojan.VBS.Foomol.a Trojan.Win32.Smell.a Trojan-Downloader.Win32.Small.aj Trojan.Win32.Aldy Trojan-Downloader.Win32.Wintrim.av Backdoor.Linux.BO.121.b Trojan-AOL.Win32.Oscar.b Trojan-Dropper.JS.Mimail.b Trojan-PSW.Win32.Wortron.10.b Trojan.DOS.Rebootpc.b Trojan-Dropper.VBS.Inor.bp Trojan.Win32.KillFiles.bx Backdoor.Win32.Slackbot.c Trojan-PSW.Win32.GinaPass.c Trojan-Downloader.Win32.QDown.d Trojan.Java.ClassLoader.e Trojan.Win32.DiskFill.f Trojan.BAT.FormatCQ Trojan.Java.ClassLoader.h Trojan.Win32.Pandora.i Trojan.Java.ClassLoader.j Trojan-Downloader.Win32.Small.jl Backdoor.Java.JRat Backdoor.Win32.ControlTotal.k Trojan-Dropper.Win32.Kifer Trojan.Win32.Delf.l Trojan.Win32.Pandora.l Backdoor.Win32.Ciadoor.logger Backdoor.Win32.Delf.mj Backdoor.Win32.ControlTotal.o Trojan-Downloader.Win32.Agent.p Trojan-Downloader.Win32.Perfiler Backdoor.Win32.VB.po Trojan-Proxy.Win32.Portram Trojan-Downloader.Win32.Agent.r Trojan-PSW.HTML.Snix Trojan.BAT.Swap Backdoor.Win32.Small.t Trojan-Downloader.Win32.Agent.t Trojan.BAT.FormatCQ.t Backdoor.Win32.Valvoline
are not harmful and are a kind of "false signatures"... at least that's what "specialists" say - they were designed as malware but contain errors which render them harmless

Hey Burillo,

Interesting stuff, but you have made the same mistake that most other testing sites have done - you’re testing CAVS solely on its detection capabilities and totally ignoring the fact that it has a HIPS component to prevent the infection occuring in the first place.

It would be interesting to see the results if each application was first installed onto a known clean system and scanned after installing, or attempting to install, each malware component and then recording the quantity of undetected malware samples remaining on the system after HIPS prevention and AV detection.

In this case, the HIPS component in CAVS would alert on each attempted malware install which you could block, and then it’s number of “undetected malware samples” would be negligible. AVs without HIPS would not, however, vary in their results.

Ewen :slight_smile:

but now that would be unfair isn’t it? ;D HIPS doesn’t “detect” anything, it just simply block any app. we’ll get 100% result forever ;D

I think Burillo was testing only CAVS’s detection capabilities not its overall anti malware efficiency. Most people are concerned about its detection rate. I am using cfp 3 which has a much more advanced HIPS than CAVS so why would I use CAVS if not for its detection capability as a backup?


It’s a really good job you’re doing Burillo, BUT I think I must ask you to remove the links, as it’s against the forum policy to post links to malware (I doubt anyone except me have read it lol), even tho you did include warnings.
And I really doubt all those are FP’s lol (can only happen with Norton ;D).

Quoted from the Forum Policy:

The reason for why I’m not deleting it myself, is so that you can copy the links, so you don’t have to upload it all again.
Anyways, you’re still allowed to PM/e-mail it to someone if they’re interested.

Also, I will test them with Avira Free 7, fully updated, in around half an hour when my download is finished.


What is the ultimate, long-term goal of an AV? Surely it is so you end up with a virus free PC, regardless of the mechanisms employed in achieving this. The fact that CAVS employs a prevention - detection - removal cycle, whereas other AVs only use a detection - removal cycle, doesn’t mean that CAVS is deficient. To my way of thinking, it serves to highlight the inadequacies of the others.

It’s like saying

“At the four furlong mark, my horse was running at 98 MPH and yours was only running at 92 !”

“Yeah bud, but who won the race?”

Ewen :slight_smile:

I totally agree with the prevention approach of comodo. So I don’t need to be shown the right way of thinking. Anyway this horse race was a good example. What you are saying is true. period. I didn’t say that it is not like that nor that CAVS is deficient. Maybe you misunderstood my post or it is just my lack of English. When I was using cpf 2.4 my AV was CAVS and I was pleased with it. Liked its application control module. But now that I am using cfp 3 which employs a much more sophisticated prevention mechanism it takes over CAVS prevention part of its “prevention-detection-removal/cure” cycle. What remain is detection and removal. Which are currently not the best part of CAVS. So right now I don’t know why should I use CAVS. In its own it could be a very efficient anti malware product regardless of its detection rate. But in my case as for me cfp 3 copes with prevention I prefer to have an av only for detection. Which could still be useful even using a hips alongside. There are a lot of legit applications not to mention the not-so-legit ones containing malware that a user may want to run. In this case when I am not sure to trust a program a good file scanner could be handy.

[at] Blas,

Please don’t misunderstand me, there are many AVs out there with a greater detection rate than CAVS and CAVS definitely needs to improve.

CAVS3 is currently in development and promises to have vastly improved detection capabilities, along with the ability to co-operatively use the HIPS component of the firewall (if it’s installed and the user agress with this, of course). The merging of the BOClean and CAVS signature bases will bring further improvements.

LOL. Gotta agree about the efficiency of CFP as an anti-malware measure. AVs are starting to seem almost irrelevant (AV lovers please note - I did say ALMOST), but, at a minimum, an on demand scanner is still needed, if only as a safety net.

Ewen :slight_smile:

And here we are : The same old discussion about Prevention ( HIPS ) versus Detection ( Defenition ). But what I miss in most of the discussions is the usability of HIPS. Ofcource you can use a Whitelist to make things easier for the user like Comodo does, but with HIPS it will always come to a point were the user has to decide if something is good or bad. And the majority of users won’t have a clue what to decide than. That is why detection is, and will be so important :slight_smile:

Back to the race track : You can have the fastest horse, but if hardly no one can rides it you won’t win much races :wink:

Greetz, Red.

Hey Red,

Of course detection is important (I never said it wasn’t), but I firmly believe that detection is part of a structured, layered defense strategy, but just one part. Hopefully CAVS3 will have a greatly improved detection rate.

For me, the most important part of our e-defenses is knowledge. The more info a user can get (and understand) the better they can determine what to do. Clear descriptions of an intended action during the prevention phase can surely help users make up their mind what to do in the event of a HIPS alert (whether that HIPS alert came from the firewall or from the AV is irrelevant).

To continue the analogy of signature based detection and racetracks…

“coming in to the home straight with 2 furlongs to run it’s Detection Based AV out in front by a mile, but wait a minnute … the finish line just got moved because there’s X thousand new viruses released - guess we’ll just have to keep running. And running. And running. And running …” :wink:

Ewen :slight_smile:

:frowning: >:( heeeey, don’t delete the links.i’ll have to write it somewhere :stuck_out_tongue:

Hey ganda :slight_smile:

send me malware and you'll be cursed to the bone til your seventh reincarnation!

So if I send you malware you will give me 7 more lives after this one 88) Give me your email adres m8 :stuck_out_tongue:

Greetz, Red.

;D ;D ,
oh btw you can find my email address if you click my name above the avatar. it’s gmail, so i think you can’t send app file (:TNG)

(:KWL) Hello. Well I just tested Norton Internet Security 2008 with latest definitios and stuff and I found out that it’s very good ( a little bit worst than Kaspersky, but only a little, so I think I won’t change it now) Maybe when Comodo realeases CAVS 3 :BNC (:AGL)

removed the links. here are some thoughts. Proper testing of NOD32 v3.0 is impossible, will now download (and use!) version 2.7. I had nothing to do and wrote a detailed report which you can read in my Windows Live blog.

i do not agree. HIPS is the best thing to prevent unknown viruses, but there are too many users that just can’t determine right from wrong, and that’s where signature detection comes in. Yes, with HIPS we have 100% safety, but only when you know what you’re doing, whereas virus signatures can 99% (counting false positives) assure you that you HAVE malware.

retested NOD32 v2.7 (ditched v3.0) and finally got absolutely clear results. These were most current definitions available.

`threats: Signatures Extended Heuristics detected/total (rate)

Not-a-virus 41 0 1 42/116 (36%)
virus 8599 2 2754 11355/23573 (48%)
worm 1927 0 240 2167/2350 (92%)
trojan 8548 1 208 8757/9346 (93%)
malware 1489 190 17 1696/2035 (83%)

overall 24017/37420 (64%)
note: NOD32 detected additional 27 infections when having ALL detection features enabled (seems like heuristics act better in conjunction with ordinary signatures)

few days ago i did offline testing with outdated definitions (read previous posts), now i updated and rerun test. CAVS 2.0 detected:

1 more “other malware”
1 more worm
16 more trojans

no more “not-a-viruses” and viruses were detected.

BTW “undetected” archive for NOD32 is 82Mb, for CAVS is 755Mb…

Dr. Web results:
`threats: Signatures Heuristics detected/total (rate)

Not-a-virus 38 0 38/116 (32%)
virus 21294 0 21294/23573 (90%)
worm 2318 0 2318/2350 (98%)
trojan 8069 3 8072/9346 (86%)
malware 1549 0 1549/2035 (76%)

overall 33271/37420 (89%)