amateur testing

  • Thread starter Thread starter xmp
  • Start date Start date
X

xmp

i've been doing some amateur (i.e. meaningless) testing.

i started with 440 simple infectors. FireLite did the worst, only
finding 405. BitDefender did a bit better, and Escan found 421. i was
most impressed with Kaspersky which found 429. either the remaining 11
are lesser known, or i may have some corrupted samples.

the interesting part is that Escan uses some variant of the KAV engine,
yet KAV Personal 5 beat it by a good margin.

michael
 
i've been doing some amateur (i.e. meaningless) testing.

i started with 440 simple infectors. FireLite did the worst, only
finding 405. BitDefender did a bit better, and Escan found 421. i was
most impressed with Kaspersky which found 429. either the remaining 11
are lesser known, or i may have some corrupted samples.

the interesting part is that Escan uses some variant of the KAV engine,
yet KAV Personal 5 beat it by a good margin.
Click to expand...

I suppose you've made sure scan options settings are identical? And
both are downloading either "normal" updates or extra defs?

My own comparisons of this kind have been done with several thousand
malware samples of various types and in various "containers" with
various runtime packers involved. Usually, I compare KAVDOS32 build
135 with the GUI version 3.5 of KAV. Results have always been
identical. I have seen discrepancies when comparing to Antidote which
uses the KAV engine. Antidote always misses a few that the others
detect for some unknown reason. I haven't compared later KAV GUI
versions. It's possible, of course, that later GUI versions may have
different detection characteristics than earlier versions to some
extent.

Insofar as "amateur" testing goes, there's nothing unscientific or
unprofessional about comparison checks using questionable malware
samples, since you're simply looking for _differences_ in detection.
You're not drawing any conclusions about scan engine quality. That can
only be done using _viable_ malware samples.

And I can't say that since two different KAV scanners agree
identically in detection that they would agree on all possible
samples, since I obviously don't have all possible samples :) I can,
however, detect when some major or significant change occurs, such as
an older build or version not detecting newer XYZ type of malware
currently in circulation. That happened a few years ago with the old
AVPLITE for DOS. It couldn't detect some newer script malware that
KAVDOS32 could detect.


Art
http://www.epix.net/~artnpeg
 
And I can't say that since two different KAV scanners agree
identically in detection that they would agree on all possible
samples, since I obviously don't have all possible samples :)
Click to expand...

thanks for the info Art.

i increased my zoo size to 2800 samples. hopefully will have 10,000
within a few days. i'm eager to try Bitdefender Free vs AVG Free vs
Avast Free vs F-prot (for DOS). maybe this has been done before.

michael
 
My own comparisons of this kind have been done with several thousand
malware samples of various types and in various "containers" with
various runtime packers involved.
Click to expand...

a couple of samples were packed, and that was an oversight i made.

i plan to try RATs (remote admin tools) next. but this is very time
intensive. you have to make the servers individually (or find samples
somewhere). "nautilus" did a test of these, and even modified the
malware. must have been very laborious, but the results are
interesting. KAV did very well for instance.

michael
 
xmp said:
i've been doing some amateur (i.e. meaningless) testing.
Click to expand...

that should read "(i.e. useless)"...
i started with 440 simple infectors. FireLite did the worst, only
finding 405. BitDefender did a bit better, and Escan found 421. i was
most impressed with Kaspersky which found 429. either the remaining 11
are lesser known, or i may have some corrupted samples.
Click to expand...

it's entirely possible that you have far more than 11 corrupt samples...

the work involved in managing a good quality virus testbed of even just
440 unique infectors is not trivial... certainly more than someone is
likely to be able to do in their spare time...
 
kurt said:
that should read "(i.e. useless)"...
Click to expand...

you mean like 99% of your posts? you're too lazy to even look up the
procedure used in the VB100 testing.

pray tell, what your credentials? Associates in "Computer Science" from
a comm college?
it's entirely possible that you have far more than 11 corrupt samples...

the work involved in managing a good quality virus testbed of even just
440 unique infectors is not trivial... certainly more than someone is
likely to be able to do in their spare time...
Click to expand...

no kidding. esp someone like you. too much posting and too little
thinking.

you're just another self-proclaimed virus guru.

michael
 
you mean like 99% of your posts? you're too lazy to even look up the
procedure used in the VB100 testing.

pray tell, what your credentials? Associates in "Computer Science" from
a comm college?
Click to expand...

Hey Hey, go easy with the attack on computer science associates
degrees from community colleges. I have one, plus two companies I
run. One does/did work fortune 500 companies.

nuff said,
 
xmp said:
you mean like 99% of your posts?
Click to expand...

no, i mean like 100% of the posts that always seem to pop up about how
people just tried doing their own virus detection tests and got these
'interesting' results...
you're too lazy to even look up the
procedure used in the VB100 testing.
Click to expand...

?? and where does this come from?
pray tell, what your credentials? Associates in "Computer Science" from
a comm college?
Click to expand...

not that it should matter, but since you seem so interested...

i've been a programmer for the past 19 years...
i've been studying virus/anti-virus issues and helping people resolve
virus related problems for the past 15 years...
i've been a participant in alt.comp.virus for nearly 10 years...
i've been a participant in the virus echos in fidonet since the time of
edwin cleton (moderator) and his electronic baseball bat (maybe 13/14
years) and have become the moderator myself in more recent years...
i got my BSc in computer science from the university of toronto (before
i finished my minor in statistics) over 4 years ago and i've been
working as a software developer/security engineer ever since...

now hopefully i won't ever have to give anyone my 'credentials' ever
again...
no kidding. esp someone like you. too much posting and too little
thinking.
Click to expand...

i point you (as i have pointed the countless 'amateur's [to use your
own description] before you) to vesselin bontchev's paper on the
analysis and maintenance of a clean virus library
(http://www.virusbtn.com/old/OtherPapers/VirLib/)....

unless you're unemployed and out of school i expect 440 viable, unique
viruses would represent _months_ worth of 'spare time' work in order to
ensure that they really are unique and that they are all capable of
recursive self-replication...

without that work, your results don't necessarily mean what you think
they do...
you're just another self-proclaimed virus guru.
Click to expand...

i never called myself a guru... or even an expert... vesselin bontchev,
on the other hand, is someone i would call an expert...
 
Back
Top