此次他们是相当的重视,以下为部分帖子。(希望谁有时间翻译一下,最近太忙了!)
Interesting the apparent difference caused by reducing the time frame for samples to only one week and the number of samples to under half. Comparison between the November result and this report. Unless of course it is due to a change in the type of samples in backdoors and trojans which need the increased capability of V8 to pick up.
hips is better then the normal heuristics beause it also gives programs a rating. so a program can have 100% danger rating and be blocked without a heuistic verdict (heur....)
about avira being stong...and? avira doesn't have hips, proactive defense, i don't think it even has self defense.
also ifyou look on page 3: it would block 68% of samples
heuristics can not be replaced by HIPS.
HIPS have to make the program running before taking action.
That's more dangerous. And Heur don't have to, It can take part in the on demand scan.
And plus good Heur, we can use another good HIPS to improve further.
Kaspersky should not just depend on HIPS to detect the unknown malware.
This time AVIRA get a advanced+, with FP rate improved a lot.
Heuristics can be improved with high detection rate, and also low FP rate.
no it doesn't, 68 of those applications would have been blocked execution so it's not like you are bocking writing of a registry key, they were blocked. I see no problem with that.
I think v2009 Heur should be improved in the final edition or MP1
Heuristics are always going to be continually improved. It won't stop at final or at MP1/MP2 et al. The emulator can be updated along with other database updates.
Heuristics are always going to be continually improved. It won't stop at final or at MP1/MP2 et al. The emulator can be updated along with other database updates.
Correct.
That's the great thing about v2009
Kaspersky should not just depend on HIPS to detect the unknown malware.
They don't just depend on HIPS; there's heuristics, PDM and, of course, generic signatures (assuming all are enabled). Whichever of those gets there first and wins the round has gotta be cool.
... but I assume that the emulator level of 500 is not user configurable
"I think I am not allowed to explain how to tweak it to get the emulator at the same level as used in the HIPS." admin, IBK(?)
http://www.av-comparatives.org/forum/index...D=2911#post2911
May I ask what's the point of such a test?
Some may call this "cheating".
Cheers I'm curious how KAV 8 would score on the on-demand comparative test.
Maybe we'll get about 99% again? 
May I ask what's the point of such a test?
Some may call this "cheating".
I call it "not understanding a test".
There is a difference is detecting something heuristically at HIPS level and blocking a threat automatically by the HIPS. For example it may mean that 49% are detected heuristically (to make it simple imagine HEUR.Trojan.Generic) and 68% with the HIPS blocked malware (like in the pictures in the PDF). It is described in the report, it has nothing to do with "cheating", so please be more careful with your wording next time. The results are those that you would have got if you would have used the product. If you are not interested to know how much of the 68% would additionally been have detected by the heuristic at HIPS level while you execute the file, just ignore it.
Shame we don't know how much the packer detection contributed :| (IBK, can we have a teeny hint?) 
I'm curious how KAV 8 would score on the on-demand comparative test.
Maybe we'll get about 99% again?
well, my observations is that av vendors are quite struggling to catch up with the amount of samples we have this days...
here are some "probably not very reliable" statistics, from me
they are based on data from april 2008 on something over 1.500.000 possible malware files (every file is detected by at least one av scanner)
WARNING
- this statistics are only informational, av products are NOT directly tested and compared for detection. with other words, this is not done to test and compare av scanners and so the results may very well be buggy (for example old program versions might be used; bad misconfiguration of settings; a bit old signatures;...)
NOTICE
- first number is the number of not detected samples, second number is the % of detected samples from all samples
- why two numbers? i am doing this for quite some time now, before i was always representing only the %, i have now however somehow realized that this is somehow bad because now we have so much samples. few years ago 2% of 100.000 samples was 2.000 not detected samples, now 2% of 1.000.000 is 20.000 not detected samples and so saying something like that an av scanner is not detecting only 2% of samples for the past 5 years just somehow feels like hiding the truth
- i just reinterpret the results (logs). i DON'T do the scanning and i DON'T have the samples, so please don't ask if i can add or retest some scanners
- KAV new heuristics ware NOT used in this scan (with some scanners unfortunately old versions seems to be used)
Avira 48660|96,78
Kaspersky 67946|95,50
Ikarus 83917|94,44
Avast 92343|93,88
F-prot 104299|93,09
Symantec 107063|92,91
BitDefender 117658|92,21
McAfee 126588|91,62
Norman 147024|90,26
Trend 157333|89,58
Microsoft 159869|89,41
AVG 175118|88,40
Rising 243065|83,90
ok here is something new from me, i have put all of my raw data from the past years in excel and got this nice graph
different lines represent different av vendors, except the top (dark blue) line which represents the total number of samples. i am not showing this to compare different vendors but to show some other (maybe interesting) facts that one can get from such an "over time" representation.
- first obvious thing we are able to see is the increase of the number of samples in last year. lately this fact has been represented by few av vendors (for example http://www.f-secure.com/weblog/archives/00001351.html ), the fact that the number of samples has doubled in one year from what we had before over 20 years. and that seems like some bad news.
- second thing we could see if we would look closely to the graph is the fact the the gap between the top line, that represents the total number of samples and the first line above it, which represent the av that has detected most of the samples, is getting bigger (some number, in year 2004 it was around 4000 missed samples... you can see the latest results in the above table). and that also seems like some bad news.
- third thing we could see is that in 2004 different av scanners had very different results, they ware every ware between 50% and 98%, this day however they are all mostly quite high, despite the guge number of samples we have this days. this however seems as some good news, finally |
发表于 2008-6-1 22:52:32
楼主
发表于 2008-6-2 13:01:15
