Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware Detection Comparison Part 2


  • Please log in to reply

#1
fleamailman

fleamailman

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,383 posts
Please forgive my linking this work from another forum, I don't believe that I can introduce this work otherwise, nor believe that I will be missinterpreted for it, forgive or remove as need be, but I believe we can look at this work here; besides, I feel that this is in our interests too.

http://www.kickenhar...read.php?t=3463




1) All scanners were free or trial versions. They were fully updated and ran from Safe Mode.
2) Each scanner was removed after each scan.
3) Preparation of the computer consisted of clearing all the startup items and running Ccleaner.


SCANNER________ADWARE/SPYWARE___TROJANS/BACKDOORS/DIALERS/ETC___TOTAL

Spybot________________11________________________0___________________11
AVG___________________0________________________12_ _________________12
Ad-Aware______________21________________________6____ _______________27
Norton 2005____________11_______________________17_______ ____________28
SpySweeper____________20_______________________13_ __________________33
NOD32_________________17_______________________22_ _________________39
BitDefender_____________21_______________________2 3__________________44
SuperAntiSpyware_______25________________________1 9__________________44
A-Squared______________23_______________________22__ __plus 1 rootkit____46
Kaspersky______________16_______________________34 ___________________50
Ewido__________________22_______________________33 ____plus 1 rootkit____56


  • 0

Advertisements


#2
james_8970

james_8970

    Trusted Tech

  • Retired Staff
  • 5,084 posts
Honestly,
everyone that does these test achieve different results. Aside from that, its difficult to compair infected computer "a" to infected computer "b" and say exactly which scanner is better then the other. With every variant there are many versions of each variant of malware. Sure one scanner "a" may remove this version, yet scanner "b" won't, but when you change the versions of the variant, this could all change and be the compleat opposite.
If you look around the web, every test reveals a different story to tell the reader. There will never be one scanner that will remove it all, its a fact we are all just going to have to deal with. When this situation comes abord, its nice to know things about HJT, and if you don't its nice to have nice people around who are able to assist you with your problems.
This test leaves us where we all where with the last one, and the one before that. But with the good comes the bad, and if you want your computer to stay healthy and want no risk of being infected, don't go on the internet.
Just my 2 cents and what i've seen in the past.
James

Edited by james_8970, 09 October 2006 - 06:54 PM.

  • 0

#3
fleamailman

fleamailman

    Member 2k

  • Topic Starter
  • Member
  • PipPipPipPipPip
  • 2,383 posts
I will check on that but I think a condition of the test was the same comp same infections, or else agreed it would unreadable. And yes, there isn't 'something for everything always' as you put it, malware forums are proof of that
  • 0

#4
james_8970

james_8970

    Trusted Tech

  • Retired Staff
  • 5,084 posts
even if it where a case of it being the same versions of each variant, scanner "a" may remove version 2-65 but not 1 and 66. Yet scanner "b" may only remove version 4,5,7,3,1,34,12,76.
There is no way to really prove which scanner is better then the other, unless ever piece of malware is tested against ever single piece of malware avaible out there.....which is impossible since there is so much and so many new pieces being realseased each and ever day. And even if it could detect it, could it remove it, or just disable it, warn you about it or will it leave many things behind in the registry and other places when it or if it does infact remove it.
James

Edit: what it comes down to is preference.

Edited by james_8970, 09 October 2006 - 07:29 PM.

  • 0

#5
fleamailman

fleamailman

    Member 2k

  • Topic Starter
  • Member
  • PipPipPipPipPip
  • 2,383 posts
I think is what is meant by approimation, but still more is better than few I believe. Found the bit you are looking for in part one there then.


The test victim:

A customers XP computer loaded with nasties. It had very slow performance even after msconfig's startup was cleared. Popups reared their ugly head before IE was even opened. Trying to use IE was a lesson in futility. Since the customer was on vacation, I took the opportunity to run some head to head tests with various malware removal programs.

The computer had numerous toolbars, websearches, and a couple of "bad" P2P programs in the Add/Remove list. For testing purposes, these programs were not uninstalled. Preparation of the computer consisted of clearing msconfig's startup, and running Ccleaner.

The Hunters:

All free or trial versions of Ad-Aware SE, Spybot Search and Destroy, BitDefender's Antispyware, Nod32, Trend's spyware scan, and Ewido Antimalware. I wanted to include Windows Defender, but it requires SP2 and the computer didn't have it.

All programs were installed and updated in safe mode with networking. Scans were run in safe mode only. I won't list particular malware that every one of the scanners found.

The Results:

AD-AWARE SE:
Booked Space, Dialer, Dyfuca, WebEnhancer, win32.welchia, My Websearch, win32.trojan.downloader, Target Saver, VX2, Win32 trojan.DNSchanger, Zestyfind.

SPYBOT:
180 solutions, casclient, max search, my web search, network monitor, smitfraud, Max Search, Zesty Find, Dyfuca.

BITDEFENDER:
Backdoor Codbot, Backdoor Aimbot, Adware Agent, Hotbar, plus four various Trojans.

NOD32:
Win32 Dialer, Web Enhancer, Creazione, Win32.Nachi Worm, plus 16 Various Trojans.

TREND:
Avenue Media, Hot Bar, SideFind, Purity Scan, Web Enhancer, Target Saver, Avenue Media, Ad Clicker, plus five various Trojans.

EWIDO:
Backdoor Aimbot, Dropper Agent, Hijacker Small, Worm.Welchia, Backdoor Codbot, Backdoor Rbot, Downloader.Smallbuy, Hijacker.VB, Zesty Find, Dyfuca, Adware URL, Web Enhancer, Surfside, hotbar, Dropper Agent Downloader, TS Update, Dropper.Small, Adware Agent, Not.A.Virus, Downloader ISTbar, Adware Internet Optimizer, Downloader.VB, Downloader Small Buy, Downloader.Adload, plus 19 various Trojans.

CONCLUSION:

BitDefender was a huge disappointment. It seems that the makers of BitDefender AntiSpyware are still stuck in the now extinct "virus days".

Ad-Aware and Spybot were both decent at detecting general spyware and adware, but very poor at anything more serious. Trend wasn't much better other than the four trojans it found.

NOD32 was poor at detecting adware/spyware, but extremely good at finding the trojans.

Ewido was simply incredible. It reigned supreme in detecting both general spyware/adware, as well as trojans, backdoors, and downloaders.

Note:

For the actual cleaning, I ran Hijack this first, just to see what it showed. Needless to say, it was a log from malware [bleep]. I ignored it and uninstalled about five malware causing programs. I then ran Ad-Aware, Spybot, NOD, and finished up with Ewido. HijackThis now only showed 3 rogue entries (2 URL search hooks and 1 missing file)...fixed that. On reboot, all was fine. Further scans and observations showed no malware present.


Edited by fleamailman, 09 October 2006 - 07:41 PM.

  • 0

#6
james_8970

james_8970

    Trusted Tech

  • Retired Staff
  • 5,084 posts
I have already read that, and its not telling me much.
my problem is that he wasn't using enough samples to really determine which one is better then the other. In the past i have had spybot remove hotbar from my computer, that was probably another version from what was tested here though since that was 1 year ago, i find it hard that spybot would remove smitfraud, maybe a entry or two but not everything. Ewido is capable of removing more then 19 trojans, alot more, thats just one way to prove that this was a very small sample. However you can't do it all in one big swing.....one computer wouldn't be able to handle 1% of all the malware out there these days on one computer. It just would lock down and be done.

Concluding what i'm saying here, this sample is a WAY to small to compare one malware scanner to the next.
James
  • 0

#7
sari

sari

    GeekU Admin

  • Community Leader
  • 21,805 posts
  • MVP
I think what james is trying to say is that you really need a combination of products and tools to effectively clean a pc of malware/viruses/trojans, etc. If you follow any of the posts in malware, you'll see the helpers running specific tools as needed, such as smitfraudfix, and more general scans, such as ewido and Panda's Activescan. I rarely rely on one tool, and in the tests that were run, I see that there were some infections that really require specific removal tools in order to effectively delete them. If you're planning to run scans on a regular basis to help keep your pc clean, these results might help in determining what to use, but for cleaning an infected machine, I think they're woefully incomplete and don't take the type of infections under consideration.
  • 0

#8
fleamailman

fleamailman

    Member 2k

  • Topic Starter
  • Member
  • PipPipPipPipPip
  • 2,383 posts
agreed on both yours and James points but you and I are different from the man on the street here, james is right in that we don't know the total or approcimate numbers of malware in the test so we cannnot judge that, which agreed is important floor in the test, and again I agree that in the malware removal here is that one reads the logs to see what state the computer is in before chosing the right tool for it, both those points are valid; however, once I have cleared this point with him, I still feel that an approcimation on the strengths and weaknesses of these tools as a guideline of the programs out there is better than just buying a product on the base of market share, price, or pot luck, that is unless you want to continue removing malware from Norton and Mcafee that is?

[the views expressed in this subject by me are my own and the do not reflect the ususally smarter replies given by those who answer, it is just how I learn]

Edited by fleamailman, 10 October 2006 - 08:45 AM.

  • 0

#9
warriorscot

warriorscot

    Member 5k

  • Retired Staff
  • 8,889 posts
Didnt we have a couple of links to larger slightly better done AVs in the staff forum. The AV selection there is pretty small as well there are lots of different AVs and the breakdown is pretty poor, even in the much larger ones we discussed there were a million and one faults in those and they seemed half decent(although one i think was quite bad if i remeber).
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP