Rafal Dudek
June 4th, 2004, 10:36 pm
THINGS HAVE CHANGED! Please scroll to last post of this thread for information!
Yay! Welcome to the first edition of my Interweb Security Info Center (new name pending, send PM for ideas)
For a while now I've become very interested in internet security which includes defenses for viruses, trojans, spyware, and hacking. After going through several products, all I can say is that "No anti-software is created equal". Keep this in mind as you go through my listings of findings.
By the way... I was too busy to edit any bad spelling/grammar so =P
-= Time to Evolve =-
Security is always a concern for big coorporate giants and small businesses. But home-users are bigger targets and are the most ignorant of its surroundings. The truth of the matter is that most people think when they pick up some anti-virus software off a store shelf, they think they're 100% secure from everything. This is just a silly belief, and no one should think this way. What if I told you that viruses arent exactly a threat anymore? Most retail virus scanners out there can pick up 95% of the viruses thrown on it. Some do better then others but they still get the job done. This is all fine but if you're an internet surfer, use p2p file sharing, or just like to download things, you'll be suprised to hear that your Norton or McAfee or AVG will leave you pretty much naked. The problem I'm refering to are "trojans". These are nasty bugs that cause more trouble then your average virus/worm. Last 25 big threats were all trojans. These buggers can be specifically nasty when they come in a package (very undetectable by most AV products) since they are specifically designed to block off most common AV products from functioning correctly and open up your computer for various exploiting. Alot of them have key-logging capabilities sending out data to "dump" servers for anyone to take a look and what you have been doing/typing.
Norton, McAfee, AVG and even my previous recommendation Eset NOD32 are extremely weak in the anti-trojan department. This is why I gave up on them especially since Norton and McAfee are notorious at taking over your system and profice crap service, not to mention slow updates and poor customer support. If you use any of those listed products, I suggest pairing them with BOClean. BOClean is specifically developed anti-trojan application. At $40 per license, it doesnt come cheap but with this you'll have maximum protection against any of todays threats.
But why pay so much? $40 for AV product and another $40 for AT product... there must be a better way =]
So for a few weeks I've been on a search for the right product to suit my needs. I found a few and I also made a remarkable discovery... Multi-Engine Anti-Virus software. So off I went to find reviews of various ME AV products and to my suprise.. there was none. So I fired off an email to various publishing houses (including PC Magazine) and was shocked to hear the response. These big houses REFUSE to review those products because they feel its "unfair" to those programs using only one engine for scanning. This is unbelieveable, completely reddiculus and should NOT be alowed to continue. When an average user looks for reviews of certain products, they are looking to commit their hard-earned money for whatever suits them best so this is why I created this thread. =] There is lots of good and lots of bad stuff out there. I'll try to provide the best facts so you can make the decision by yourself =]
-= Time to Hit the Dirt =-
Most of these big boys offer some form of a trial offer to test their product. For some, you'll have to actually email them for a trial-key. Also note, these products ARE NOT IN ORDER OF PREFERENCE. I just wrote them down as I tested them each. At the end of the article you'll have my recommendation =]
F-Secure:
----------------------------------
Super-Star quality engines! Support is reasonable, but expect up to a 1-3 day wait for replies at times. Definition updates are lightning quick as well. The biggest problem here is this thing can bloat up to 50MB of ram in memory - but on the good side, most people don't notice any performance drop. F-Secure has had a recent problem with exploits to its system - which they prompty respond with fixes/patches. Support seems reasonable (compared to most AVs), at about 2-3 days wait. So this product still has flaws! Backweb runs constantly, and is annoying, it sucks up ram like a sieve, and its expensive...
I have detailed information on the F-Secure engines
The libra engine
-Developed by F-Secure corporation.
-Traditional engine based on virus signatures.
-Strong on macro viruses.
The AVP engine
-Originally developed by Kaperski lab in Russia.
-Traditional engine based on virus signatures.
-Strong on 32-bit viruses.
The Orion engine
-Developed by F-Secure corporation.
-Heuristic engine that detects only 32-bit file viruses.
-Signature files used to handle false alarms.
Effectively over 150,000+ Definitions for total protection.
BitDefender:
--------------------------------------------
I *WANT* to love this product, but it has some nagging issues in my tests that drive me insane! For one, their definition database needs some hardcore work, its lacking big in some areas. Wheres the support???? I tested their support responses for a fairly basic question, and waited 6 days for it.. Thats unacceptable. I do absolutely love the interface and slickness of this product, I just wish they would beef up their heuristics and databases - and do it quickly. This would be an amazing contender if they did. Right now, its just a few steps behind. I'm not sure which engines its using. It seem slike one main one which is split into several smaller pieces to perform different functions.
eXtendia AVK:
---------------------------------------------
Theres alot to love in this product.. Double engines - and two very good ones to boot. Wonderful interface, a massive wealth of configurability, fast updates - sometimes hourly. Tech support i've tested has been VERY good, usually email responses from registered customers between 1-24 hours at the most - with a voice line fully published and not hidden on their website.
Double engine technology is proven to work, and the mere fact that many testing houses are "Scared" to test multi-engine products really drive this point home for me. At $29.00 for the engine package, its hard not to recommend this, but i'm still evaluating it, and will not give it my full seal or approval yet.
The two engines this product uses are KAV and RAV. Totalling nearly 200,000 virus definitions and rising rapidly. They update both engines seperately but its on daily basis, sometimes even hourly. Something the big boys are lacking.
Kaspersky:
------------------------------------
I have a real problem with a product that sells for $80, that is essentially a stripped down, nerfed version of a lesser product I can get for $29 (eXtendia AVK). Even though AVK isn't the KAV5 engine, the big argument now is many feel the KAV4.5 engine (which is in eXpendia AVK), is better than the 5.0 engine, which still has some kinks to work out of it.
Either way, KAV is a heavily definition based product, and doesn't always score the highest on heuristics - i've put the pure KAV engine through a few heuristic tests which I can make it fail, but the RAV engine picks up. So I defininately like KAV's definitions, when combined with a bit stronger heuristic side. Still waiting for the KAV5-PRO version to come out, which is rumored to be months away. KAV5-Lite which is out now, has almost no configurability, which stinks!
Norman AV:
-------------------------------------
This product is one hellava contender.. Co-Developed at Microsoft Labs to investigate the feasibility of a sandbox type system, this guy DOES perform well. This was one of the few AV's out there to find my rebased test file and the baddies inside it. However, this product seems to get a bum rap from many AV testers... The reason? When scanning thousands of viruses in a row Norman can be slow - so many test houses don't run tests with Norman. Ironically, its SUPPOSED to be slow when you throw 10,000 viruses at it, because it has to examine each one seperately in its sandbox. Thats how the system works, and thats why the system is so powerful.
One AV house I inquired with about Norman, said that when they stopped the on-demand scanning due to it being slow on large volumns of viruses - Norman was already scoring in the 85-90% range.. Higher than anything else finished that test with!
The interface of this product is techie, and newb unfriendly (i like it). The overall polish of the product seems lacking, and its VERY expensive! Tech support is quite good, with responses generally in the hours - seldom more than 24 hours. Stability can be a bit of a concern, and on some configurations and systems, i've read reports of system issues. I personally didn't encounter any of these myself. On my tests, Norman was *AMAZING* in its ability to work heuristically on new samples - also Norman is known as being very fast on definition releases... However, at $60 per year, this product is obnoxiously overpriced for the average computer user.
-= My Recommendation =-
Drum roll please...................
..
..
..
eXtendia AVK!
http://www.extendiaavk.com/
And here is why:
First, it uses two engines... KAV (Kaspersky 4.5) and RAV. I often see security concerened people running a resident AV(antivirus) and AT (antitrojan) products along side each other. Some even add spyware/adware guards ontop of this as well. The layered system does work, in practice and in principle, so why not a layered AV product?
Second, the price. at $29, this thing is a steal. Kaspersky itself costs $80.
The install was smooth, simple, and very well done. Nothing crazy here, and it was quick and efficient, not even requiring a reboot of the system. Once the install was finished, the program contacted the update locations and grabbed engine and definition upgrades for both the Kaspersky and RAV engines respectively - neither the program or windows required rebooting.
The interface is easy to use and lots of options to customize this product to your needs. You can run both engines realtime or if you need performance (lets face it, we're gamers here) you can disable any deep scanning, only monitor certain directories (you can disable any monitoring of any game directories if you wish) or even disable any one or both engines. Speed or protection... you choose =]
For mail programs the product comes with an integrated module for Outlook/Outlook Express, that puts the controls for the AV directly on the toolbar within the email client. It places the options for the product within the email programs options menu. For people who do not use Outlook, you can totally configure any other program or generic POP3 scanning via ports - which should mean 100% compatibility with any mail client AVK scans OUTBOUND as well as INBOUND emails, which many AV products lack. There are a plethora of options on how to handle infected mail, including sending out notices to another email address, automatically sending out a warning to the person you recieved the infected mail from and more.
Next up I used AV Tester 3.0, which basically creates fake trojans that mirror real ones, and creates variations in realtime. Mostly this is to test on-access memory monitoring heuristics. Its a pretty effective test it seems and several AV's and AT's miss these completely! Results from AVK were quite impressive. (AVK wouldn't even let the file execute, in fact, merely moving "near" the file tripped off a full file-lock on it.. Apparently AVK heuristics are picking up slight traces of the test files signatures within the program itself.
Just to see if it cheated, I used a rebased packer on this one which is a really nasty altered-packed trojan with several rebased/stealthed trojans inside. AVK stopped the download before it finished writting it to my hard drive at 99%, locked access to the file, then quarantined it. I have to say thats some pretty nice heuristic action going on there, especially when you consider about a dozen or more other products don't even recognize this threat!
This is an interesting product to test. Though I'm still searching for something to throw at it that it doesnt find. I'll report back next month with further testing on this. =]
The value of this product cannot be questioned.. At only $29.00 for the product, including 1 full year of full updates, this is really a bargin, especially when you consider with this product, you will NOT need any additional protection. Yearly upgrades cost only $24 per year,and keep you up to date on all the latest definitions, engines, and product upgrades. Considering many AV/AT products cost double or more, this seems to me like a best-buy. At the very least, this product should be on your hard drive as a dedicated on-demand scanner, because in deep-mode, with both engines running, you'd be hard pressed to find a better product in my opinion. Considering that many AV products need to be backed up by a good Antitrojan product, the value is even greated.. (for example NOD32 @ $40 + BOClean @ 40, and still not this level of protection - for $80?!?)
By the way... if you wish to test your AV heuristics, download this program:
ftp://ftp.externet.hu/pub/mirror/sac/avir/avtst30.zip
It creates couple of mirror fake trojans to test your AV product. Note... Eset NOD32 failed all 4 tests. Not sure if its by design or just that NOD32 heuristics arent good enough to catch this. Their support arent any helpfull. Two responses I got from there were "we're looking into this" and "We find this not important" !
Yay! Welcome to the first edition of my Interweb Security Info Center (new name pending, send PM for ideas)
For a while now I've become very interested in internet security which includes defenses for viruses, trojans, spyware, and hacking. After going through several products, all I can say is that "No anti-software is created equal". Keep this in mind as you go through my listings of findings.
By the way... I was too busy to edit any bad spelling/grammar so =P
-= Time to Evolve =-
Security is always a concern for big coorporate giants and small businesses. But home-users are bigger targets and are the most ignorant of its surroundings. The truth of the matter is that most people think when they pick up some anti-virus software off a store shelf, they think they're 100% secure from everything. This is just a silly belief, and no one should think this way. What if I told you that viruses arent exactly a threat anymore? Most retail virus scanners out there can pick up 95% of the viruses thrown on it. Some do better then others but they still get the job done. This is all fine but if you're an internet surfer, use p2p file sharing, or just like to download things, you'll be suprised to hear that your Norton or McAfee or AVG will leave you pretty much naked. The problem I'm refering to are "trojans". These are nasty bugs that cause more trouble then your average virus/worm. Last 25 big threats were all trojans. These buggers can be specifically nasty when they come in a package (very undetectable by most AV products) since they are specifically designed to block off most common AV products from functioning correctly and open up your computer for various exploiting. Alot of them have key-logging capabilities sending out data to "dump" servers for anyone to take a look and what you have been doing/typing.
Norton, McAfee, AVG and even my previous recommendation Eset NOD32 are extremely weak in the anti-trojan department. This is why I gave up on them especially since Norton and McAfee are notorious at taking over your system and profice crap service, not to mention slow updates and poor customer support. If you use any of those listed products, I suggest pairing them with BOClean. BOClean is specifically developed anti-trojan application. At $40 per license, it doesnt come cheap but with this you'll have maximum protection against any of todays threats.
But why pay so much? $40 for AV product and another $40 for AT product... there must be a better way =]
So for a few weeks I've been on a search for the right product to suit my needs. I found a few and I also made a remarkable discovery... Multi-Engine Anti-Virus software. So off I went to find reviews of various ME AV products and to my suprise.. there was none. So I fired off an email to various publishing houses (including PC Magazine) and was shocked to hear the response. These big houses REFUSE to review those products because they feel its "unfair" to those programs using only one engine for scanning. This is unbelieveable, completely reddiculus and should NOT be alowed to continue. When an average user looks for reviews of certain products, they are looking to commit their hard-earned money for whatever suits them best so this is why I created this thread. =] There is lots of good and lots of bad stuff out there. I'll try to provide the best facts so you can make the decision by yourself =]
-= Time to Hit the Dirt =-
Most of these big boys offer some form of a trial offer to test their product. For some, you'll have to actually email them for a trial-key. Also note, these products ARE NOT IN ORDER OF PREFERENCE. I just wrote them down as I tested them each. At the end of the article you'll have my recommendation =]
F-Secure:
----------------------------------
Super-Star quality engines! Support is reasonable, but expect up to a 1-3 day wait for replies at times. Definition updates are lightning quick as well. The biggest problem here is this thing can bloat up to 50MB of ram in memory - but on the good side, most people don't notice any performance drop. F-Secure has had a recent problem with exploits to its system - which they prompty respond with fixes/patches. Support seems reasonable (compared to most AVs), at about 2-3 days wait. So this product still has flaws! Backweb runs constantly, and is annoying, it sucks up ram like a sieve, and its expensive...
I have detailed information on the F-Secure engines
The libra engine
-Developed by F-Secure corporation.
-Traditional engine based on virus signatures.
-Strong on macro viruses.
The AVP engine
-Originally developed by Kaperski lab in Russia.
-Traditional engine based on virus signatures.
-Strong on 32-bit viruses.
The Orion engine
-Developed by F-Secure corporation.
-Heuristic engine that detects only 32-bit file viruses.
-Signature files used to handle false alarms.
Effectively over 150,000+ Definitions for total protection.
BitDefender:
--------------------------------------------
I *WANT* to love this product, but it has some nagging issues in my tests that drive me insane! For one, their definition database needs some hardcore work, its lacking big in some areas. Wheres the support???? I tested their support responses for a fairly basic question, and waited 6 days for it.. Thats unacceptable. I do absolutely love the interface and slickness of this product, I just wish they would beef up their heuristics and databases - and do it quickly. This would be an amazing contender if they did. Right now, its just a few steps behind. I'm not sure which engines its using. It seem slike one main one which is split into several smaller pieces to perform different functions.
eXtendia AVK:
---------------------------------------------
Theres alot to love in this product.. Double engines - and two very good ones to boot. Wonderful interface, a massive wealth of configurability, fast updates - sometimes hourly. Tech support i've tested has been VERY good, usually email responses from registered customers between 1-24 hours at the most - with a voice line fully published and not hidden on their website.
Double engine technology is proven to work, and the mere fact that many testing houses are "Scared" to test multi-engine products really drive this point home for me. At $29.00 for the engine package, its hard not to recommend this, but i'm still evaluating it, and will not give it my full seal or approval yet.
The two engines this product uses are KAV and RAV. Totalling nearly 200,000 virus definitions and rising rapidly. They update both engines seperately but its on daily basis, sometimes even hourly. Something the big boys are lacking.
Kaspersky:
------------------------------------
I have a real problem with a product that sells for $80, that is essentially a stripped down, nerfed version of a lesser product I can get for $29 (eXtendia AVK). Even though AVK isn't the KAV5 engine, the big argument now is many feel the KAV4.5 engine (which is in eXpendia AVK), is better than the 5.0 engine, which still has some kinks to work out of it.
Either way, KAV is a heavily definition based product, and doesn't always score the highest on heuristics - i've put the pure KAV engine through a few heuristic tests which I can make it fail, but the RAV engine picks up. So I defininately like KAV's definitions, when combined with a bit stronger heuristic side. Still waiting for the KAV5-PRO version to come out, which is rumored to be months away. KAV5-Lite which is out now, has almost no configurability, which stinks!
Norman AV:
-------------------------------------
This product is one hellava contender.. Co-Developed at Microsoft Labs to investigate the feasibility of a sandbox type system, this guy DOES perform well. This was one of the few AV's out there to find my rebased test file and the baddies inside it. However, this product seems to get a bum rap from many AV testers... The reason? When scanning thousands of viruses in a row Norman can be slow - so many test houses don't run tests with Norman. Ironically, its SUPPOSED to be slow when you throw 10,000 viruses at it, because it has to examine each one seperately in its sandbox. Thats how the system works, and thats why the system is so powerful.
One AV house I inquired with about Norman, said that when they stopped the on-demand scanning due to it being slow on large volumns of viruses - Norman was already scoring in the 85-90% range.. Higher than anything else finished that test with!
The interface of this product is techie, and newb unfriendly (i like it). The overall polish of the product seems lacking, and its VERY expensive! Tech support is quite good, with responses generally in the hours - seldom more than 24 hours. Stability can be a bit of a concern, and on some configurations and systems, i've read reports of system issues. I personally didn't encounter any of these myself. On my tests, Norman was *AMAZING* in its ability to work heuristically on new samples - also Norman is known as being very fast on definition releases... However, at $60 per year, this product is obnoxiously overpriced for the average computer user.
-= My Recommendation =-
Drum roll please...................
..
..
..
eXtendia AVK!
http://www.extendiaavk.com/
And here is why:
First, it uses two engines... KAV (Kaspersky 4.5) and RAV. I often see security concerened people running a resident AV(antivirus) and AT (antitrojan) products along side each other. Some even add spyware/adware guards ontop of this as well. The layered system does work, in practice and in principle, so why not a layered AV product?
Second, the price. at $29, this thing is a steal. Kaspersky itself costs $80.
The install was smooth, simple, and very well done. Nothing crazy here, and it was quick and efficient, not even requiring a reboot of the system. Once the install was finished, the program contacted the update locations and grabbed engine and definition upgrades for both the Kaspersky and RAV engines respectively - neither the program or windows required rebooting.
The interface is easy to use and lots of options to customize this product to your needs. You can run both engines realtime or if you need performance (lets face it, we're gamers here) you can disable any deep scanning, only monitor certain directories (you can disable any monitoring of any game directories if you wish) or even disable any one or both engines. Speed or protection... you choose =]
For mail programs the product comes with an integrated module for Outlook/Outlook Express, that puts the controls for the AV directly on the toolbar within the email client. It places the options for the product within the email programs options menu. For people who do not use Outlook, you can totally configure any other program or generic POP3 scanning via ports - which should mean 100% compatibility with any mail client AVK scans OUTBOUND as well as INBOUND emails, which many AV products lack. There are a plethora of options on how to handle infected mail, including sending out notices to another email address, automatically sending out a warning to the person you recieved the infected mail from and more.
Next up I used AV Tester 3.0, which basically creates fake trojans that mirror real ones, and creates variations in realtime. Mostly this is to test on-access memory monitoring heuristics. Its a pretty effective test it seems and several AV's and AT's miss these completely! Results from AVK were quite impressive. (AVK wouldn't even let the file execute, in fact, merely moving "near" the file tripped off a full file-lock on it.. Apparently AVK heuristics are picking up slight traces of the test files signatures within the program itself.
Just to see if it cheated, I used a rebased packer on this one which is a really nasty altered-packed trojan with several rebased/stealthed trojans inside. AVK stopped the download before it finished writting it to my hard drive at 99%, locked access to the file, then quarantined it. I have to say thats some pretty nice heuristic action going on there, especially when you consider about a dozen or more other products don't even recognize this threat!
This is an interesting product to test. Though I'm still searching for something to throw at it that it doesnt find. I'll report back next month with further testing on this. =]
The value of this product cannot be questioned.. At only $29.00 for the product, including 1 full year of full updates, this is really a bargin, especially when you consider with this product, you will NOT need any additional protection. Yearly upgrades cost only $24 per year,and keep you up to date on all the latest definitions, engines, and product upgrades. Considering many AV/AT products cost double or more, this seems to me like a best-buy. At the very least, this product should be on your hard drive as a dedicated on-demand scanner, because in deep-mode, with both engines running, you'd be hard pressed to find a better product in my opinion. Considering that many AV products need to be backed up by a good Antitrojan product, the value is even greated.. (for example NOD32 @ $40 + BOClean @ 40, and still not this level of protection - for $80?!?)
By the way... if you wish to test your AV heuristics, download this program:
ftp://ftp.externet.hu/pub/mirror/sac/avir/avtst30.zip
It creates couple of mirror fake trojans to test your AV product. Note... Eset NOD32 failed all 4 tests. Not sure if its by design or just that NOD32 heuristics arent good enough to catch this. Their support arent any helpfull. Two responses I got from there were "we're looking into this" and "We find this not important" !