Kav 6.0 is Great

[Opus]

I have the new Kaspersky 6.0 anti-virus program. I thought I could not be
any happier with Kav, but this new update has really improved things. I do
wonder at how long it takes to scan my system, but there is almost 50GB of
files--well over a million individual files to scan--so I guess it is to be
expected. In any event, Kav 6.0 has great stop and restart capability. Any
other version or product just abandons a scan that is stopped in the middle,
but Kav 6.0 will pick up where it left off.

Kav 6.0 also gives you very good control over the functionality of the
program. One thing that I hate about every other product that I've tested
including Windows One Care and Symantec/Norton A/V is that the program
decides what constitutes safe settings and then red-lights anything that is
outside those specs. Kav 6.0 does not do that. If you give something your
official okey dokey, then Kav 6.0 accepts that as gospel and green-lights it
from that point on. There is none of this crap about forcing a particular
security model. In my case, I and a system and database administrator by
profession, and security is a major part of my work. As a result, I know a
great deal about various models and methods and do not want anyone dictating
these things to me. Kav 6.0 does not. Its many powerful features are fully
configurable. When you say a threat is not a threat, then it is not a
threat--Period!

I could go on, but this is enough to give good justification for preferring
Kav 6.0 to other products.

Opus

 

[Art]

I have the new Kaspersky 6.0 anti-virus program. I thought I could not be
any happier with Kav, but this new update has really improved things. I do
wonder at how long it takes to scan my system, but there is almost 50GB of
files--well over a million individual files to scan--so I guess it is to be
expected. In any event, Kav 6.0 has great stop and restart capability. Any
other version or product just abandons a scan that is stopped in the middle,
but Kav 6.0 will pick up where it left off.

Kav 6.0 also gives you very good control over the functionality of the
program. One thing that I hate about every other product that I've tested
including Windows One Care and Symantec/Norton A/V is that the program
decides what constitutes safe settings and then red-lights anything that is
outside those specs. Kav 6.0 does not do that. If you give something your
official okey dokey, then Kav 6.0 accepts that as gospel and green-lights it
from that point on. There is none of this crap about forcing a particular
security model. In my case, I and a system and database administrator by
profession, and security is a major part of my work. As a result, I know a
great deal about various models and methods and do not want anyone dictating
these things to me. Kav 6.0 does not. Its many powerful features are fully
configurable. When you say a threat is not a threat, then it is not a
threat--Period!

I could go on, but this is enough to give good justification for preferring
Kav 6.0 to other products.

I looked at three different versions of the Betas along the way and
was struck by how the developers were able to pull off a user-friendly
design and avoid the the bloatware "av for idiots" approach too many
of their competitors have been taking. I wondered how their design
would fare in the market place. I remember a saying the president of
company I worked for many years ago had. "A engineers' nightmare
is often a marketeers' dream and a engineers' dream is often a
marketees' nightmare". It remains to be seen but my opinion of
KAV 6 is that it is both a marketeers' and engineers' dream come true.
As I've said here before .... IMO it's a winner ... any way you look
at it.

Art
http://home.epix.net/~artnpeg

 

[Jari Lehtonen]

I have the new Kaspersky 6.0 anti-virus program. I thought I could not be
any happier with Kav, but this new update has really improved things.

I also tested it . for a while. Otherwise it was great and very fast
but it dropped my Internet speed to 1/3 of what it has been. Only
exiting the whole program restored the original speed. And I tested it
several times to be sure it surely is Kav that causes this. Now I am
back to Nod32.

Jari

 

[Art]

I also tested it . for a while. Otherwise it was great and very fast
but it dropped my Internet speed to 1/3 of what it has been. Only
exiting the whole program restored the original speed. And I tested it
several times to be sure it surely is Kav that causes this. Now I am
back to Nod32.

Probably had something to do with its continuous monitoring of
incoming (and maybe outgoing?) packets. I never noticed anything like
that but I have wideband (DSL) service which may make quite a
difference. I can't remember if packet monitoring is a user option ...
I kinda think it is. I don't have KAV 6 installed right now so I can't
check. But my guess is that dialup and other low bandwidth users
probably do have the option to disable packet monitoring, in which
case they still have a quite powerful av package.

Art
http://home.epix.net/~artnpeg

 

[Ron Lopshire]

I also tested it . for a while. Otherwise it was great and very fast
but it dropped my Internet speed to 1/3 of what it has been. Only
exiting the whole program restored the original speed. And I tested it
several times to be sure it surely is Kav that causes this. Now I am
back to Nod32.

Jari,

Some have reported a similar experience, and resolved the issue by
disabling Stealth ... it doesn't affect the overall KAV protection.
There are other issues for some people (eg., PDM), of course, and the
activity in the KL fora has been incredible since the release of KIS
6/2006. I have read a month's worth of posts in the last two days. If
you are interested,

(http://forum.kaspersky.com/index.php?showforum=3)

After the storm dies down, I would expect Don Pelotas to post a sticky
about the installation of KAV 6/2006, specifically as it relates to
those parameters where the default settings do not work for many
people. FWIW, this is similar to KAV 5 where most people had to
disable IDS and the WinXP indexing service in order to have KAV play
nice with the OS.

Ron

 

[Ron Lopshire]

I also tested it . for a while. Otherwise it was great and very fast
but it dropped my Internet speed to 1/3 of what it has been. Only
exiting the whole program restored the original speed. And I tested it
several times to be sure it surely is Kav that causes this. Now I am
back to Nod32.

Jari,

Some have reported a similar experience, and resolved the issue by
disabling Stealth ... it doesn't affect the overall KAV protection.
There are other issues for some people (eg., PDM), of course, and the
activity in the KL fora has been incredible since the release of KIS
6/2006. I have read a month's worth of posts in the last two days. If
you are interested,

(http://forum.kaspersky.com/index.php?showforum=3)

After the storm dies down, I would expect Don Pelotas to post a sticky
about the installation of KAV 6/2006, specifically as it relates to
those parameters where the default settings do not work for many
people. FWIW, this is similar to KAV 5 where most people had to
disable IDS and the WinXP indexing service in order to have KAV play
nice with the OS.

Ed. Note (repost): Others have also reported an improvement in
performance by disabling Web and Mail scanning. Again, the protection
is still there, it is just a matter of when the content is scanned.
Here is an example thread, there are others,

(http://forum.kaspersky.com/index.php?showtopic=14165)

Ron

 

[Art]

Ed. Note (repost): Others have also reported an improvement in
performance by disabling Web and Mail scanning. Again, the protection
is still there, it is just a matter of when the content is scanned.

That would be the packet monitoring I had in mind, I believe.

Art
http://home.epix.net/~artnpeg

 

[optikl]

As I've said here before .... IMO it's a winner ... any way you look
at it.

Art
http://home.epix.net/~artnpeg

Art, compared to other products you've used, how resource intensive is
it? Can you compare it with NOD32 on that criterion?

 

[optikl]

I also tested it . for a while. Otherwise it was great and very fast
but it dropped my Internet speed to 1/3 of what it has been. Only
exiting the whole program restored the original speed. And I tested it
several times to be sure it surely is Kav that causes this. Now I am
back to Nod32.

Jari

Hmmm...that's the kind of input I was looking for.

 

[Art]

Art, compared to other products you've used, how resource intensive is
it? Can you compare it with NOD32 on that criterion?

I've made no objective comparative resource comparisions.
Subjectively, the KAV 6 Betas I looked at were surprisingly fast once
they had a chance to adapt to my system. They have a "learning curve"
they go through inititially. As I understand it, files that have the
same CRC check as before aren't scanned repetitively in order to speed
up scanning. On my 1.8 ghz AMD cpu PC with 256 meg RAM, there is a
slightly noticeable slowdown or sluggishness with all the modules
active. But on my PC loading apps such as Firefox or T-bird is so fast
anyway, I couldn't measure it easily. We're talking a small fraction
of a second increase in loading times on my PC. That's all I remember
noticeing.

Art
http://home.epix.net/~artnpeg

 

[optikl]

Art wrote:
We're talking a small fraction

of a second increase in loading times on my PC. That's all I remember
noticeing.

Art
http://home.epix.net/~artnpeg

Thanks.

 

[Opus]

I disabled web scanning from the outset because I expected it to hammer my
web performance. I do still have it do the mail scan though.

If you ever run a rootkit san on a machine that has Kav installed, you are
in for a surprise--at least I was. What's up with that?

One feature that I would like to see is something like "Do not scan withing
first xx minutes of startup."

I was glad to see that they improved the pause protection resume.

The new UI is superb.

Opus

 

[edgewalker]

If you ever run a rootkit san on a machine that has Kav installed, you are
in for a surprise--at least I was. What's up with that?

It probably tries to avoid anti-antivirus modules like "trojan appkill" by
hiding things from software (and the user) via what is now being called
a "rootkit". This would be an example of a "good" rootkit. If the rootkit
scanner is able to compare the actual scheduled processes to a process
list available through an OS API and finds something missing in the API
that is actually scheduled - it will call it a rootkit.

 

[Opus]

It would be nice if rootkit scanners would allow for this "good" behavior
and overlook it. I wonder what Kav hides in there.

Opus

 

[Gabriela Salvisberg]

It would be nice if rootkit scanners would allow for this "good" behavior
and overlook it. I wonder what Kav hides in there.

I've been on a Kaspersky press event today: When KAV 6.0 scans a file
it creates some kind of HASH code or checksum for it, so it doesn't
need to be scanned again unless the checksum of the file (and the file
itself) has changed. When I asked them where they store the checksums,
they replied that they use some kind of encrypted data base (probably
instead of ADS/iStreams).

Of course they needed to find a way that no malware can attack or
corrupt this data base. So it's only my guess, someone might correct
me if I'm wrong: Most probably it's this checksum data base which is
protected by this rootkit-like technology. Damn, now I remember what I
forgot to ask them ;-)

It would certainly be nice if this "rootkit" was detected as a "good
one" by other rootkit-scanners. But I doubt that Kaspersky's
competitors would do that.

Gabriela

 

[Opus]

I was wondering if it might just be storing its checksums this way. If that
be the case, then it seems to be a savvy malware developer could exploit it.

Opus

 

[kurt wismer]

I've been on a Kaspersky press event today: When KAV 6.0 scans a file
it creates some kind of HASH code or checksum for it, so it doesn't
need to be scanned again unless the checksum of the file (and the file
itself) has changed. When I asked them where they store the checksums,
they replied that they use some kind of encrypted data base (probably
instead of ADS/iStreams).

Of course they needed to find a way that no malware can attack or
corrupt this data base. So it's only my guess, someone might correct
me if I'm wrong: Most probably it's this checksum data base which is
protected by this rootkit-like technology. Damn, now I remember what I
forgot to ask them ;-)

It would certainly be nice if this "rootkit" was detected as a "good
one" by other rootkit-scanners. But I doubt that Kaspersky's
competitors would do that.

i don't know about the brand new version, but previous versions stored
the hashes in the alternate data streams and used stealth techniques to
hide that data and that is what got their product labeled as a 'rootkit'
originally... (http://www.kaspersky.com/news?id=177718126)

 

[kurt wismer]

I was wondering if it might just be storing its checksums this way. If that
be the case, then it seems to be a savvy malware developer could exploit it.

no, kaspersky's product only hides specially crafted data *in* alternate
data streams... although you can put malware into an alternate data
stream, it can't execute from there so it wouldn't be useful to a
malware developer...

 

[Ron Lopshire]

i don't know about the brand new version, but previous versions stored
the hashes in the alternate data streams and used stealth techniques to
hide that data and that is what got their product labeled as a 'rootkit'
originally... (http://www.kaspersky.com/news?id=177718126)

Kaspersky has replaced iChecker(ADS) in KAV 5 with iSwift in KAV
6/2006. Don't you just love marketing terminology?

iChecker and iSwift technologies:
general information and operating principles
(http://www.kaspersky.com/faq?qid=186010624)

Ron

 

[kurt wismer]

kurt wismer wrote: [snip]

i don't know about the brand new version, but previous versions stored
the hashes in the alternate data streams and used stealth techniques
to hide that data and that is what got their product labeled as a
'rootkit' originally... (http://www.kaspersky.com/news?id=177718126)

Kaspersky has replaced iChecker(ADS) in KAV 5 with iSwift in KAV 6/2006.
Don't you just love marketing terminology?

iChecker and iSwift technologies:
general information and operating principles
(http://www.kaspersky.com/faq?qid=186010624)

that link is, unfortunately, rather vague... that said, from my research
i've found that ichecker is filesystem independent, which i believe
rules out it's use of alternate datastreams... it seems that neither
ichecker nor iswift use them... the technology that used them was called
istreams, which they do appear to have phased out.. iswift and ichecker
are both used now - iswift for ntfs partitions because it's faster (no
checksum calculation required) and ichecker for non-ntfs partitions...

http://forum.kaspersky.com/lofiversion/index.php/t13439.html