低手浅析VB100报告之一——按需扫描部分

猪头无双

本帖目的：



只是单纯的翻译下VB10012月报告中我选择的若干部分。既给大家分享下VB对各个杀软的看法，也是我个人重新看待VB测试的一个过程


占楼计划如下


1L，贴图，按需扫描的总图，同时辅以若干文字说明，让我们来看看VB对按需扫描是如何规定的
2L，贴图+文字对比下avast、avg、avira三家的参测产品及详细报告，以便让我们了解下这三款杀软，尤其是avira和avast的免费版的比较，让纠结于这两款杀软的童鞋心里又一个参考指标。
3L，贴图+文字介绍卡巴——谁让这里是卡饭捏。
4L，贴图+文字介绍MCAFEE企业版
5L，打劫














"VB100 COMPARATIVE REVIEW ON WINDOWS 7 PROFESSIONAL"(注意测试平台是win7专业版)

The deadline for product submissions was 27 October, with the official test set deadline on 22 October.The core certification set was built around the latest official Wild List available on this date, which was the September list, released on 19 October. The list comprised the usual selection of password stealers targeting online banks and gamers, alongside the standard complement of worms, bots and similar nasties. Several of the strains of W32/Virut that have been causing problems in recent comparatives fell off this month’s list, but were replaced by yet more variants. We ceased all updates to our clean test sets on 22 October as well, with a wide range of new items having been added in the weeks running up to this – additions mainly focused on popular download software, but also included a selection of major business software. Older and less significant items were removed from the sets as usual.The remaining test sets were adjusted along the normal lines, with a selection of new items added to the polymorphic set and some older ones retired. The sets of trojans and worms were for the most part rebuilt from scratch with items first seen by us since the end of the last test.


参赛软件收集样本的截止日期为10月27号，而正式测试的截止时间为22号，测试主要围绕10月19号出炉的9月份wild list进行测试。此次wild list包括一些针对网银和游戏玩家的密码窃取者样本，一系列更新品种的win32/Virut病毒，剩下的多态测试添加了新出现的样本，木马、蠕虫测试收集了上次测试结束以来出现的新样本。白名单也进行了更新，主要针对流行的下载软件和一系列主流的商用软件。










从截图与官方报告来看，按需扫描共测试以下几个部分：
wild list+蠕虫测试+多态病毒测试+木马测试+白名单测试（误报测试+可疑样本测试）

猪头无双

1.avast free


Avast Software avast! 5.0.677
Additional version information: Defi nitions 101027-1
ItW 100.00%                          Polymorphic 94.41%
ItW (o/a) 100.00%                 Trojans 98.48%
Worms & bots 97.90%           False positives 0

After a batch of fairly hefty products, the hugely popular free version of avast! surprised us by arriving as a mere 50MB install package, including all required updates. The installation process was very simple, with the offer to join a community feedback scheme and the creation of a system restore point the only items of note. With no reboot required, the whole process was over in less than 30 seconds. The interface is simply delightful – easy on the eye and the mind alike, providing ample configuration options without being overwhelming. Despite its free-for-home-use nature, the product includes a pretty thorough range of additional
protection layers as would be expected of a fully fledged security suite. Running through the tests proved as pleasing as ever, with splendidly fast scanning speeds and similarly impressive on-access measures. RAM usage was fairly low, but CPU consumption a little higher than expected. Detection rates were also excellent, in the RAP sets as well as the standard ones, and with no problems in the clean or WildList sets the product easily earns a VB100 award. Stability, responsiveness and general good design also earn
Avast a respectful nod of approval from the lab team – the fact that all tests were complete not long after lunch on the
same day they were started brought an additional smile.



经过发布了一系列给力的产品之后，我们惊喜的发现avast free只有50M的轻巧体积，却包含了所有必备的零件，不愧是最受欢迎的免费杀软（PS，个人觉得360还得学习下人家啊）。安装简便，还提供加入社区反馈结果，还有创建系统还原点的小功能值得注意。由于不需要重启系统，所以安装过程被控制在30秒以内。界面简洁，招人喜欢，在提供丰富的配置功能的同时，却显得并不繁琐。尽管是家用免费版产品，其提供的保护却几乎可以比肩一款成熟的全功能套装。测试时表现良好，拥有极其优异的检测速度和简单有效的实时病毒检测手段。内存占用低，但是比预想的稍稍占CPU多些。检测率也相当出众，在RAP测试中也是出众的一个，在误报测试和wild list测试中表现完美，轻松摘取了VB奖项。稳定性、响应能力和良好的设计也获得了测试团队的普遍首肯。

2. AVG IS


AVG Internet Security 2010 10.0.1152

ItW 100.00%                Polymorphic 99.33%
ItW (o/a) 100.00%       Trojans 95.41%
Worms & bots 99.33% False positives 0


Back with the larger installers, AVG’s comes in at 141MB, but does promise a complete suite. The set-up process is quite lengthy,
and includes the offer of a toolbar which provides Yahoo! searching alongside the security features. No reboot is needed at the end, but the set-up is followed by some additional confi guration stages, including registration of the user’s personal information and the option to join a community feedback scheme. The interface – which is also accessible via a funky modern desktop gizmo – has had a bit of a face lift since its appearance in recent tests, and looks sharp and crisp, although still somewhat cluttered by the large number of modules. Configuration is provided in considerable depth, but is generally straightforward to
access and the layout makes good sense. Previous tests have seen some rather sluggish scanning speeds and we were prepared for more of the same, but the face lift noted above has clearly gone deeper than the surface, providing some considerable improvements at the operational layer too. Initial scan times were pretty decent, and repeat runs lightning fast, indicating a smart approach to known clean items. Even with the settings turned up from their initial default level, which delves deep into archive files but trusts in file extensions to decide what to scan, speeds remained more than respectable. A similarly impressive speed-up was observed in the on-access tests, and RAM use was perhaps just a fraction above the month’s average, but CPU use appeared fairly high in comparison to the rest of the field.Detection rates were excellent in the main sets, and made a
solid start in the RAP sets too, dropping off fairly steadily through the weeks but never dipping below a reasonable
level. The suite includes a thorough range of additional protective layers to cover more recently emerging threats.
Stability was flawless, and testing was complete within the 24-hour period hoped for. With perfect coverage of the
WildList and clean sets, a VB100 award is comfortably earned by AVG.相对于大个头的安装包，AVG只有141M大小，却是个全功能的套装。安装过程冗长，其中还有个IE工具栏，提供yahoo！邮件提醒和安全检测。不需要重启电脑，但在安装过程末尾却有几个步骤要完成，包括注册用户的私人信息和加入社区的选项。带有时髦的桌面小工具栏的界面相对以前参加测试的版本有所提升，看起来界面清晰明快，但因为大量的单独组件显得有些凌乱。设置有层次，但简洁，便于接受，布局感觉良好。以前的测试暴露出测试速率低的问题，本次测试我们准备多测试几回。同时上述的界面改善使得产品显得更有深度，提供了一些重大的改进。首次扫描表现中规中矩，二次扫描稍稍快些，这表明该产品对白文件的识别有了改进。即便按照首次扫描的默认程度设置——该设置可根据文件扩展名深入压缩包内部查杀——扫描速度也稍稍快些。同样的加速表现在实时清毒扫描中也有所体现，内存占用或许稍稍飙高，但CPU占用确实挺高。侦测率在主要测试中表现良好，在RAP测试中也有良好的开局表现，稳定性稍有下降，但并非出人意料。这个套装产品提供对最近出现的威胁一个彻底的额外保护。稳定性良好，测试在24小时内完成，对wild list和白名单的测试表现完美，所以这个VB奖项颁给AVG。

3.avira free




ItW 100.00%               Polymorphic 100.00%
ItW (o/a) 100.00%       Trojans 99.13%
Worms & bots 99.82% False positives 0

Avira’s free-for-home-use product was provided as a 43MB main installer with 45MB of updates, and ran through fairly rapidly. It
informs the user that Windows Defender may no longer be useful, but doesn’t go as far as removing it. It also offers an optional registration system, and fills the screen with a large advertisement encouraging the user to upgrade to the full paid edition. No reboot is needed to complete. The interface is fairly simple and not overwhelmingly attractive, but provides a solid range of configuration options, many of the more interesting ones tucked away in the ‘advanced’ area. Default settings are sensible, although the scheduled scan job is fairly unusual in being set up ready to go but not enabled by default. Scanning speeds were pretty decent – although there was no sign of speed-up on repeat runs – and file access times were similarly good.
Resource usage was on the low side of average. The infected sets were powered through in splendid time, although a couple of items in the RAP sets appeared to snag the scanner somewhat; these needed to be removed to allow the scans to complete, but even with this interruption the product completed all tests without even needing an overnight stay. Detection rates were as superb as ever, with the RAP scores declining only very slightly into the later weeks. The WildList presented no diffi culties, and with the clean sets handled well too, a VB100 award is comfortably earned by Avira.


红伞家用版43M的安装包，更新后是45M，升级速度迅速。它会提示用户关闭windows defender，之后运行程序。他有个注册信息的弹窗和大号的广告，不需要重启。界面简洁不繁琐，提供了多层次的设置界面，而且“专家模式”会有进一步的设置。默认设置简洁明快，但是计划升级作业并不随机启动而自动运行，而会在默认时间间隔运行（24小时，大家都知道哈）。扫描速度快，二次扫描并没有显著地提升速度，但文件实时扫描的时间控制的不错。资源占用低，清毒设置给力，尽管在RAP测试中会有锁死的BUG，但仍然表现良好，不用拖到第二天。侦测率超高，RAP测试数据稍低。wid list分分钟搞定，设置简洁，操作简单，VB获奖毫无疑问。

猪头无双

KIS 2011


ItW 100.00%                Polymorphic 100.00%
ItW (o/a) 100.00%       Trojans 95.49%
Worms & bots 98.02% False positives 0




The latest version of Kaspersky’s ever-popular consumer suite solution was provided as a slightly larger 110MB installation package, and used the same set of bases for its updates. The installation process zipped through rapidly – all done in half a minute with no need to reboot – and presented the latest interface in all its glory. The trademark green has been toned down somewhat from recent editions, ditching the shiny metallic look for a more autumnal, foresty shade, and the product itself has a number of other more technical innovations rolled in. These include another Windows 7 desktop gewgaw, and a snazzy drag-and-drop scanning system, but all the old fi ne-tuning controls are still available under the bonnet, in their usual slightly quirky
presentation style. Again, scanning speeds started off average and sped up massively for the warm jobs, and on-access times were similarly enhanced after initial inspection. RAM use was a little higher than for the version 6 edition, but CPU use was
way down. We saw the same batches of samples snagging the scanner – most of them small installation packages which were mostly excluded from the final RAP lists in the later stages of validation – but we were ready this time and removed most of them as soon as we saw the issue re-emerge. It was interesting to note that the option to abort scanning a fi le after 30 seconds seemed not to help out with this issue. Also recurring was the extreme slowness of displaying and exporting logs, but perhaps this is forgivable given that our log data is orders of magnitude larger than any that a real-world user would need to handle. In the fi nal reckoning, after a day and a half or so of work completing the tests, scores were again superb, a few
notches higher than the older version as one might expect. RAP scores in particular were pretty stellar, and the core certification sets proved a breeze, with another VB100 award going to Kaspersky this month.新版变化
1.外形变得更加柔和——新的绿色标签的使用，win7的小工具
2.整体布局有些怪异——但是传统的优秀的微调按钮依旧保留
3.安装后不用重启，安装包110M，稍微有点大，开始扫描速度处于平均水平，后来有所加快。首次扫描之后的实时监控速度有所提升。
4.内存占用比6.0版本稍高，但cpu占用较低。
5.漏报的样本是同类型样本——大多数都是小型的程序安装包，多数是在RAP测试中算作白文件的样本，但官方及时发现此问题，做出了剔除。我们发现一个有趣的现象——如果扫描一个文件30秒后，突然中止扫描，暂停按钮不起作用。同时，显示日志和报告的功能也不会起作用。这说明，我们所采取的检测措施要比真实世界中用户上报样本发送的数据量要大得多。经过一天半的测试，最终我们统计出了最后结果，此时分数竟然飙高，个别项目比我们预期的还要高。PAP分数尤其要高，因此我们把今年的VB奖项颁给KASPERSKY

猪头无双

咖啡企业版



ItW 99.99%                 Polymorphic 100.00%
ItW (o/a) 99.99%        Trojans 81.51%
Worms & bots 94.59% False positives 0

McAfee’s business product has been another long-term high achiever in our tests, regularly praised in these pages for its no-nonsense approach and simple usability. The company has missed a few tests recently, and had some problems with complex
polymorphic fi le infectors a few months ago, and after considerable work assisting diagnosis we were hopeful of a change in fortunes this month. The product arrived as a 27MB installation bundle, with an additional 13MB of patches and 79MB of updates, all in easily applied executable formats. It ran through its set-up fairly quickly and easily – the most interesting moment
being the offer of ‘standard’ or ‘maximum’ protection. At the end it announced that, while a backup was not strictly required right away, it would be needed for some components to operate fully, so we restarted immediately.The interface, which requires a response to a UAC prompt each time it is opened, remains its austere, businesslike self, with no unnecessary glitz or clutter. Controls are well designed and simple to operate, and full configuration is available in all areas. On-demand speeds were good with the defaults, and not bad with the settings turned up to full, and while on-access scanning times were perhaps a shade
above average, RAM use was low and CPU use in busy periods not excessive either. The detection tests (which do not measure the extra protection provided by the product’s cloud-based Artemis system) ran smoothly, and logging was clear and reliable.
The only problem we observed – which caused us to re-run some of our on-access tests – was one we have commented on in these pages before, but which seemed more pronounced this month: when the on-access settings are changed, there is a noticeable period when the protection seems to go down and restart. We observed this in the main on-access test: having noticed the informative pop-up busily reporting numerous detections and worrying that it might hinder progress, we set the notification option to off; on checking the logs of our opener tool, we saw that several hundred samples (which we knew the product should detect) were not blocked during this period, implying that protection had been off for a good 10–20 seconds. This is unlikely to be a major problem, as most people will not be regularly tweaking their settings and it would be pretty unlikely for anything to penetrate a system during one of these brief spells, but it is still a little worrying. That aside, we gathered a full set of results in under the allotted 24 hours. We saw some solid scores in the standard sets and decent rates in the RAP sets too – even without the benefi t of the cloud resources intended to bolster protection against the latest threats. The clean set was handled smoothly, but in the WildList set a single sample of W32/Virut went undetected. Generating several thousand more samples to provide to the developers proved fruitless, so it was clear that this was a most unlikely combination of circumstances, but was still enough to deny McAfee a VB100 award once again.


mcafee企业版也是我们测试的获奖大户，尤其是凭借其严格的病毒判断途径和简单的易用性。最近的几次测试，咖啡没获奖，而且在变体病毒的处理上，咖啡在几个月前出现过失误。经过仔细的研究，我们决定再给咖啡一次机会，看看表现。咖啡的安装包27M，补丁13M，更新要79M，所有的程序都是简便易用。安装简便，最有意思的地方是选择标准防护还是严格防护，安装到最后一步需要重启。每次点击控制台的时候，UAC都会弹窗问是否放行。界面风格简朴，没有多余的东西。防控简单易行而且面面俱到。按需扫描可以看到细节，而实时扫描的时间略有些过长。内存占用不高，CPU在扫描运行的时候也不高。检测过程很顺利（没测试月神），日志清晰可信。我们唯一发现的问题就是我们需要重新测试某些实时清毒测试，原因在于我们改变实时防护的设置的话，貌似防护会调低或者重启动。我们在主要的实时清毒测试中发现则个问题，并发现它频繁弹窗，我们担心会影响测试流程，所以关掉了弹窗，只在最后用工具检测日志。我们发现有几百个该报的样本却漏报了，进一步发现防护停机了将近20s。这不是个主要问题，因为大多数人不会没事闲着来回更改设置玩，而且即便出现这种防护停机的状况，病毒也不会深入进系统内，但是，这依旧是个问题。除此之外，我们收集了最近24小时的测试详细结果。我们发现在某些主要测试以及RAP测试中，尽管没有云的支持，mcafee企业版表现依然不错。误报测试却不那么顺利，而在wild list测试中只漏掉了一个W32/Viru本。综合来看，mcafee企业版的表现还是不错的，但仍需要进一步发展，所以我们给mcafee了这次的VB奖项

猪头无双

最后放弃介绍国产，省的闹心。

个人看法：

1.VB的按需扫描还是比较严格的
2.实际上我们发现，VB测试是有“二次扫描”的，但是是断网的，所以靠云为主的某国产悲剧是必然的。这也和AV-C的测试看法一致，云只是辅助，不是主要的东西，所以某国产要么向西方同流合污，要么抛开西方自己独自干到底好了 。
3.检测率实际上反应的是样本的收集能力，所以，这种测试实际上相当的枯燥，只做参考吧。


改为打劫


大家懂得的

猪头无双

开帖

listen1

支持，翻译是个体力活啊

猪头无双

listen1 发表于 2011-1-18 16:50
支持，翻译是个体力活啊

可惜没神马技术含量不敢用“原创”

evafyzs

云对于小病毒的预防效果肯定是好的，这不用怀疑。
但是国产的杀软主要靠云，那就证明引擎上确实是不尽如人意。
如果是潜伏然后同时爆发的病毒，爆发时直接就把一次查杀部给力的给咔嚓了，云也就没用了。
所以我觉得断网二次侦测还是很必要的。

猪头无双

evafyzs 发表于 2011-1-18 17:36
云对于小病毒的预防效果肯定是好的，这不用怀疑。
但是国产的杀软主要靠云，那就证明引擎上确实是不尽如人 ...

问题是一次、二次都断网，云有神马用