After having a discussion with TDS-3, and Ewido guys, I’ve found some interesting things…. Differences between company philosophies, etc.
For one, Ewido will ONLY add a Trojan to his database if his product can Fully clean it from your system without destroying your OS. I submitted over 80 trojans to him in the last week, and he only added a small selection of these to his database. The reason? A few of them were file infectors, difficult, if not impossible to clean once they infect your system… One of the threats I sent him was Parite-B.
http://home.arcor.de/antivirus/parite.html
Ewido’s reponse was:
“Kobra, thanks for the incredible submissions you sent us. Unfortunately we currently won’t add many of them to our database because some of these are trojans which infect other executables very rapidly. Our Clean-Engine isn’t capable of cleaning infections like these yet (and few to none are). We could easily detect them and remove the whole file but that’s not what the user wants, it may remain his system in an unbootable state (infected system files that have been deleted and not correctly cleaned etc.). TDS-3 also can’t clean them and just deletes the file. This let’s me think that they just added these detections to get better results in tests and we don’t want to do that –ewido networks”
Now, the interesting part is… TDS-3 detects this already, but to clean it, it destroys your system, rendering it unable to boot depending on the level of the infection – which is usually deep and fast.
So the point is, I want this to spur a discussion on the realities of an AV and limitations of traditional AV products? If a product finds this, and deletes it, your system is fried, or would you rather just have it infected, then re-format at your leasure? Ewido has nearly 50,000 Trojan threats in its database, and each and every threat in its database is FULLY cleanable by Ewido, since he refuses to add anything in he cannot guarantee a cleanup with. Is this a superior product than TDS or many AV’s? Which simply add in signatures to their database, with or without the ability to clean?
I mean its not a question in my mind that most AT/AV products SUCK at cleanup. Avast has a great solution, keeping a VRDB (full backup of important files) in an encrypted file, so when you tell Avast to clean, it cleans, and doesn’t pull any crazy stuff. Many people say AV/AT’s offer “Generic” cleaning with their products, but ive found this to be misleading to say the least. What do you consider generic? The fact it can run through your system randomly deleting things the virus attacked, destroying your OS? The fact that Avast had the foresight to put in place a system to allow full recovery, to me, indicates a superior product.
I mean so what XYZ Antivirus software can detect 400,000 threats, if it does find them, it blows up your box trying to clean them right? Pointless? Hmm, i’m beginning to think so. When people talk smack about Avast, I think they are neglecting many important things, the least of which, is the ability to CLEANUP without destroying your box. How many other AV’s can make that claim with assurances? None? The VRDB isn’t perfect, but it IS a solution for right now, not tomorrow - like others promise.
Its all fine and good to brag that your " Virus Laboratory Deep in the heart of XYZ Country" recieves 1500 samples per day. Is it ignorant to brag that you can run an automated MD5 scripter on 1500 samples and push them into your definition base without regard of the consequence a user of your product might face if they hit the “Clean” button when infected? I’m inclinced to say yes…
Discuss?