tinyurl.com/cqfdy -> www.virusbtn.com/Session-b7781bb118a77dbf69510efe119d79b2/virusbulletin/archive/2005/06/vb200506-comparative
VB Comparative: Windows XP - June 2005 2005-06-01 Matt Ham Virus Bulletin Editor: Helen Martin Abstract This month's testing process proved to be relatively plain sailing for VB's resident reviewer Matt Ham. Find out whether it was such a breeze for the 28 products on test.
Technical details Introduction VB's last comparative review on Windows XP (see VB, June 2004, p12) was carried out at around the same time as the release of XP Service Pack 2 Fortunately for the products, the release date of SP2 was just after the deadline for the comparative, thus the products were spared the challenge of having to perform on the newly updated platform. Having had close to a year in which the products could adapt to the new features in SP2, this month's review was expected to bring few surprises and not to be too taxing. The testing process was the smoothest that I can remember, with only a handful of crashes to mar the plain sailing. Considering the instability problems I usually encounter on other platforms this is convincing evidence that Windows XP bears the bulk of testing, whether this be by developers in-house, or at the hands of end users. All but one of the products on offer integrated fully with the Windows Security interface, which was a slightly higher percentage than I had expected. Of more immediate importance to users, there was a significant upsurge in the number of false positives generated while scanning the clean sets. This meant that a VB 100% award was denied to more than one of the products in the review. On a more personal level, the logging attempts by some products ranged from the downright disgraceful to the perplexingly cryptic. The test sets The test sets were aligned to the February 2005 WildList, with a product submission deadline of 3 May 2005. This time lag should have been enough for all but the most tardy developers to catch up with detection, thus high detection rates were expected. The additions to the In the Wild (ItW) test set were a dull bunch, as ever, and possibly the most uninspiring yet. The predominance of various W32/*bot samples does not give cause for further comment.
There were no other problems that were relevant to VB 100% status, thus AhnLab is in receipt of the award this month. However, problems were encountered during on-access testing of V3Pro. Somewhat unusually, the 'leave as is' option for on-access detection does not deny access to infected files. Thus infected files were deleted instead of logging denied access attempts. V3Pro is also unusual in that it does not scan archives by default. The option was activated when scanning archives during the clean set timings.
started problematically, with an error proclaiming that ashEnhcd was out of memory. As has been noted in previous reviews, this was due to the fact that all viruses detected on access are added to the quarantine area, even when the quarantine option is not activated. In this case it seemed that the resultant filling of the OS partition also denied the system virtual memory, hence the error. The timing function within the product was also rather eccentric. Since these timers are often flawed, external timing is used for the clean set scans and then compared against the product's listed timings. it seems that the internal timer starts not from zero, but from five seconds, thus adding considerable illusory overhead to fast scans. performed admirably on other fronts, and obtained a >VB 100% award easily.
To circumvent this problem the tests were performed with the scanner set to delete infected files, and repeated until no further infections were logged. That Nimda can cause problems so long after its release is an enduring mystery to me. A false positive in the clean test sets completed ArcaVir's woes, with this adding to the miss of the ItW Nimda sample to deny the product a VB 100%. However, there were a number of issues with the log file which caused some grief. First, the log file is available only as an RTF file, which increases its size appreciably. This might not be such a problem if the log were not truncated before export can occur, since a more compact log would be expected to be truncated less, if at all. Due to these logging problems the on-demand tests were performed by deleting infected files and examining those left. While logging was problematic the other aspects of testing were not, with a VB 100% award being the result.
In the case of Avira a reboot is deemed to be recommended, but not vital - which makes it a little unclear as to what might be changed by the reboot process. Detection rates have improved once more for Avira, and are now very good, with no misses either on access or on demand. With no false positive detections either, the result is a VB 100% award for Avira.
In total 28 false positives were generated during clean set scanning - certainly enough to give cause for concern and equally sufficient for a VB 100% to be denied. These two products also share the dubious distinction of being the last to present log file entries in a strict 8+3 format, a feature which complicates parsing of the logs no end.
CA's eTrust Antivirus supports two engines, this being an optional setting with the InocuLAN engine activated. Updating was particularly seamless, to the extent that I assumed it must have failed due to being so fast and not interrupting the on-access scanner. As ever, all is well with the product until the log files are encountered. These are so outrageously poor that the designer should be chained to a rock and his liver devoured by eagles in the ancient fashion. Not only do the results for single files stretch over several lines due to word wrapping, but the word wrapping is continued over several columns - fragmenting the results beyond any ease of parsing, either automatically or by observation.
Since the scanning results were good and no false positives arrived to spoil the proceedings, a VB 100% award is awarded. The logging was, however, the same abomination as with the alternative engine.
Vet remains unique in that an out-of-date version of the product refuses to scan, forcing the user either to update or have no scanning functionality at all. Quite how effective this is with real users - who are not always known for choosing security over convenience - is a matter for conjecture.
As such the comments made for that product are directly applicable for Quick Heal. Sadly for CAT, this includes the withholding of a VB 100% award due to the generation of 28 false positives in the clean test set.
Web remains admirable in every way other than the configuration of its on-access scanner. This requires a reboot after any configuration change, including such matters as changing the default log size, which might be classified as relatively minor. The tray icon for the scanner also vanished at one point, seemingly a configuration change triggered merely by opening a dialog rather than actually changing settings.
A in their zipped form, suggesting that such scanning may be activated by default. On this occasion Eset's scanner missed two samples in the standard set, though this was not sufficient to deny the company another VB 100%.
However, an error on my part highlighted an odd feature of the product. As a matter of routine, on-access scanners are deactivated during testing of on-demand functionality. This should make no difference in theory, as one would expect that a scanner would be instructed not to scan on access a file which it is opening to scan on demand. When the F-Prot on-access scanner was inadvertently left running during an on-demand test the result was to show several files that had been blocked by the on-access scanner. This behaviour has been observed in other products in the past, but usually goes unnoticed due to the testing methodology.
Since both samples require a degree of interaction to turn into an infectious object, such misses can hardly be considered a problem. Part of the predictable nature of >FSAV is its string of VB 100% awards, to which it adds another on this occasion.
Clearly, the combination of engines used by AVK is capable of good protection, though speed issues might be a ...
|
http://csua.com/feed/