F-Prot/Win: opinions?

  • Thread starter Thread starter marek jedlinski
  • Start date Start date
M

marek jedlinski

Funny thing happened. I've used the freeware AntiVir for some time, but for
some reason I've always held on to the DOS-based free version of F-Prot.
Somehow I always had high regard for F-Prot, perhaps because it was one of
the first, if not _the_ first scanner to work with Word macro viruses back
when they first appeared (it was a separate commandline program then),
perhaps also because they have a Linux version, all that.

So last night I went and bought F-Prot for Windows, partly because I
vaguely believed it was going to be at least as secure as AntiVir, and
partly because the GUI is such an eye-candy (heh, yeah, I know...) I also
downloaded the latest update.

Today I had to uninstall the firewall. In the 20 minutes between
reinstalling it, I got infected with Randex.D (or a variant - the trojan
that sends itself over network shares and places msmsgri32.exe in
winnt\system32 folder). F-Prot was running at the time and didn't so much
as beep. The only indication I got was that Startup Monitor alerted me that
msmsgri32.exe was trying to add itself to the registry in HKLM\Run.

The virus is fairly harmless as viruses go, but F-Prot really dropped the
ball on this one. Even with the most thorough scan settings (identify by
content, heuristics, neural) it doesn't recognize msmsgri32.exe as a virus
at all. I sent the file to F-Prot, but this virus has been known since
August 2003, so it's not new at all.

I went back to AntiVir and sure enough, the guard didn't even let me unpack
the executable from a zipfile when I wanted to test it. So, did I just blow
$29 for the pretty interface? Should I stick with AntiVir?

(Before today, I'd only ever had one virus on my machine, back in the days
of MS DOS 3.13 or so. I didn't think I actually needed a scanner :)

..marek
 
marek jedlinski wrote:

I went back to AntiVir and sure enough, the guard didn't even let me
unpack the executable from a zipfile when I wanted to test it. So, did
I just blow $29 for the pretty interface? Should I stick with AntiVir?

(Before today, I'd only ever had one virus on my machine, back in the
days of MS DOS 3.13 or so. I didn't think I actually needed a scanner
:)

.marek
Click to expand...

imho f-prot is still the better choice - not only because of the pretty
interface. It's pretty fast and wont eat too much resources. I compared
the linux version of both programms (i let them run over a collection
of 6000 infected files) and f-prot won the race. The question is: how
soon will f-prot react to your submission. I think this is what counts.
At the moment i use kaspersky and they updated the signatures 30 minutes
after i send the sample. Maybe you should use them both - one to scan
on-access and the other to run a sheduled scan every day.

regards
Christoph
 
marek said:
Funny thing happened. I've used the freeware AntiVir for some time, but for
some reason I've always held on to the DOS-based free version of F-Prot.
Somehow I always had high regard for F-Prot, perhaps because it was one of
the first, if not _the_ first scanner to work with Word macro viruses back
when they first appeared (it was a separate commandline program then),
perhaps also because they have a Linux version, all that.

So last night I went and bought F-Prot for Windows, partly because I
vaguely believed it was going to be at least as secure as AntiVir, and
partly because the GUI is such an eye-candy (heh, yeah, I know...) I also
downloaded the latest update.

Today I had to uninstall the firewall. In the 20 minutes between
reinstalling it, I got infected with Randex.D (or a variant - the trojan
that sends itself over network shares and places msmsgri32.exe in
winnt\system32 folder). F-Prot was running at the time and didn't so much
as beep. The only indication I got was that Startup Monitor alerted me that
msmsgri32.exe was trying to add itself to the registry in HKLM\Run.

The virus is fairly harmless as viruses go, but F-Prot really dropped the
ball on this one. Even with the most thorough scan settings (identify by
content, heuristics, neural) it doesn't recognize msmsgri32.exe as a virus
at all. I sent the file to F-Prot, but this virus has been known since
August 2003, so it's not new at all.

I went back to AntiVir and sure enough, the guard didn't even let me unpack
the executable from a zipfile when I wanted to test it. So, did I just blow
$29 for the pretty interface? Should I stick with AntiVir?

(Before today, I'd only ever had one virus on my machine, back in the days
of MS DOS 3.13 or so. I didn't think I actually needed a scanner :)
Click to expand...

no scanner is perfect... and while randex.d may not be new, what you
got may not be exactly randex.d... it may be a new variant that antivir
recognizes as randex but f-prot does not...

furthermore, no scanner is going to prevent the share enumeration
because the process that's writing the file is on an entirely different
computer... if you have open shares, don't run connected without a
firewall... if you have open shares and no firewall, don't connect...
an av, no matter how good, can't protect you against everything...

lastly, have you checked the sanity of your f-prot installation using
the eicar standard anti-virus test file? maybe something is wrong with
f-prot as it's installed on your particular machine...
 
Funny thing happened. I've used the freeware AntiVir for some time, but for
some reason I've always held on to the DOS-based free version of F-Prot.
Somehow I always had high regard for F-Prot, perhaps because it was one of
the first, if not _the_ first scanner to work with Word macro viruses back
when they first appeared (it was a separate commandline program then),
perhaps also because they have a Linux version, all that.

So last night I went and bought F-Prot for Windows, partly because I
vaguely believed it was going to be at least as secure as AntiVir, and
partly because the GUI is such an eye-candy (heh, yeah, I know...) I also
downloaded the latest update.

Today I had to uninstall the firewall. In the 20 minutes between
reinstalling it, I got infected with Randex.D (or a variant - the trojan
that sends itself over network shares and places msmsgri32.exe in
winnt\system32 folder). F-Prot was running at the time and didn't so much
as beep. The only indication I got was that Startup Monitor alerted me that
msmsgri32.exe was trying to add itself to the registry in HKLM\Run.

The virus is fairly harmless as viruses go, but F-Prot really dropped the
ball on this one. Even with the most thorough scan settings (identify by
content, heuristics, neural) it doesn't recognize msmsgri32.exe as a virus
at all. I sent the file to F-Prot, but this virus has been known since
August 2003, so it's not new at all.

I went back to AntiVir and sure enough, the guard didn't even let me unpack
the executable from a zipfile when I wanted to test it. So, did I just blow
$29 for the pretty interface? Should I stick with AntiVir?

(Before today, I'd only ever had one virus on my machine, back in the days
of MS DOS 3.13 or so. I didn't think I actually needed a scanner :)
Click to expand...

Judging an av product's detection capabilities on one sample malware
is pretty ridiculous isn't it? Instead, check out comparative
detection rates at tests sites listed here:

http://www.claymania.com/anti-virus.html


Art
http://www.epix.net/~artnpeg
 
Judging an av product's detection capabilities on one sample malware
is pretty ridiculous isn't it?
Click to expand...

One miss out of 70-odd thousand known virus definitions isn't at all
representative of a scanner's quality, I agree. But in practice, I just
happened to get that one virus out of the 70 thousand, so you'll understand
that my trust is a notch undermined. I still love F-Prot's speed and GUI
design, though :) I'll be downloading updates and it'll be interesting to
see if they get around to trapping this one.
Instead, check out comparative
detection rates at tests sites listed here:
http://www.claymania.com/anti-virus.html
Click to expand...

Good link, thank you. But:

http://agn-www.informatik.uni-hamburg.de/vtc/
http://www.check-mark.com
http://www.icsalabs.com/html/communities/antivirus/certifiedproducts.shtml
http://www.av-test.org/index_e.htm

of these four test reports linked there, only the last one mentions F-Prot
(and awards top marks to it), and that was in January 2002. I have actually
looked for other comparative tests, but Google doesn't come up with much
useful stuff for once (interestingly, it mostly comes up with non-English
sites).

..marek
 
no scanner is perfect... and while randex.d may not be new, what you
got may not be exactly randex.d... it may be a new variant that antivir
recognizes as randex but f-prot does not...
Click to expand...

Actually, Antivir recognizes it as TR/Small.A2. I got Randex from google
search for msmsgri32.exe (McAffee site, specifically).
furthermore, no scanner is going to prevent the share enumeration
because the process that's writing the file is on an entirely different
computer... if you have open shares, don't run connected without a
firewall... if you have open shares and no firewall, don't connect...
an av, no matter how good, can't protect you against everything...
Click to expand...

Abaolutely; I was dumb not to unplug the modem before uninstalling the
firewall. Interesting lesson about multiple layers of protection though - I
had Startup Monitor running (http://www.mlin.net/StartupMonitor.shtml) and
it tipped me off when the trojan tried to make itself start with Windows.
It was already ruuning at that point of course, but that's better than
nothing.
lastly, have you checked the sanity of your f-prot installation using
the eicar standard anti-virus test file? maybe something is wrong with
f-prot as it's installed on your particular machine...
Click to expand...

Good idea, will do. Thanks!

..marek
 
[Snip]
Abaolutely; I was dumb not to unplug the modem before uninstalling the
firewall.
Click to expand...

[Snip]

Are you using a broadband connection? If you are you should really
consider installing a broadband route/firewall appliance.


--
Cheers-

Jeff Setaro
jasetaro <at> mags.net
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34
 
marek said:
One miss out of 70-odd thousand known virus definitions isn't at all
representative of a scanner's quality, I agree. But in practice, I just
happened to get that one virus out of the 70 thousand, so you'll understand
that my trust is a notch undermined. I still love F-Prot's speed and GUI
design, though :) I'll be downloading updates and it'll be interesting to
see if they get around to trapping this one.


Good link, thank you. But:

http://agn-www.informatik.uni-hamburg.de/vtc/
http://www.check-mark.com
http://www.icsalabs.com/html/communities/antivirus/certifiedproducts.shtml
http://www.av-test.org/index_e.htm

of these four test reports linked there, only the last one mentions F-Prot
(and awards top marks to it), and that was in January 2002. I have actually
looked for other comparative tests, but Google doesn't come up with much
useful stuff for once (interestingly, it mostly comes up with non-English
sites).

.marek
Click to expand...

Perhaps a variant? F-Prot lists randex.A through .D, and .H, .I,
..J
(.def files from 10-27-3).

--J
Replies to: Njk04s_130_p(at)Ojuno(dot)Tcom
 
Update: I've just received this e-mail from F-Prot:

We have analysed the file you sent us. It is a Randex variant that we
have not gotten sample of until now. We have added detection for it and it
will be available with next update of the definition files.

Very nice.

..marek
 
I know the situation isn't good right now for finding recent test
data. There was a large test done at Uni Magdeburg in Feb 2003 and I
once had a link to a XLS download of the results. Many products were
tested in a number of detection categories, and I'm sure both AntiVir
and F-Prot were included and could be compared side by side.


Art
http://www.epix.net/~artnpeg
 
Back
Top