Cobra, thanks that exactly fit what i “heard” about that AV. I wonder if author is preparing for full w32/w64 version as it will be bad to throw away such qualite heuristic engine (the only one comparable which come to my mind is Dr. Web ).

About V-Buster: really funny looking tiny program but certainly worth looking at…

Inexperienced users should clearly steer away from this AV. V-Buster is purely heuristics scanner and it will probably give you a lots of FPs.

There is a similar (freeware) av scanner (ROSE SWEs Heuristic Based Virus Scanner) that you can download from http://195.58.189.134/~rose-1/software.htm .

tECHNODROME

Forget that progam, I found a better one… Updated list:

Updated testing results, several additional products tested. Special note to the changes in first place. Notes on the changes:

Discovered and tested MKS-Vir2004, from Poland. Surprisingly, this one with caught every sample perfectly on Medium Heuristics. Specifically, nearly 50 samples were picked up Heuristically giving it a perfect score of 321/321. However, when I increased Heuristics to “Super Deep”, it picked up an addition 10 more suspicious files. Upon further investigation, it was found that it was picking up signatures of hacktool utilities left over in some of the archives and flagging those files. Indeed, this is impressive. MKS-Vir2004 exhibits the most advanced detection algorithms i’ve ever seen, clearly it only had signatures for 271 of my samples, but through code emulation, it was able to pick up all 321 samples!! It clearly labeled the Heuristically found ones as things as “Likely Win32 Trojan” or “Highly Suspicious Acting File”. In addition, its scanning speed was incredibly quick, and its memory footprint was quite small. Impressive! Furthermore, this is a full featured and fairly polished product that appears to update at least once per day, and tech support responded to me within 5-15 minutes on my emails. Unfortunately, it appears to not be available in the US for purchase at this time.

Tested other additional products, Antidote, PerAV, Vir.IT, FireAV, and VirusBuster. Results are below.

1a) MKS_Vir 2004 - 321/321 0 Missed - 100%
1b) eXtendia AVK - 321/321 0 Missed - 100%
2a) Kaspersky 5.0 - 320/321 1 Missed - 99.70% (with Extended Database ON)
2b) McAfee VirusScan 8.0 - 319/321 + 2 (2 found as joke programs - heuristically) - 99%
3) F-Secure - 319/321 2 Missed - 99.37%
4) GData AVK - 317/321 4 Missed - 98.75%
5) RAV + Norton (2 way tie) - 315/321 6 Missed - 98.13%
6) Dr.Web - 310/321 11 Missed - 96.57%
7) CommandAV + F-Prot + BitDefender (3 Way Tie) - 309/321 12 Missed - 96.26%
8) ETrust - 301/321 20 Missed - 93.76%
9) Trend - 300/321 21 Missed - 93.45%
10) Avast! Pro - 299/321 22 Missed - 93.14%
11) Panda - 298/321 23 Missed - 92.83%
12) Virus Buster - 290/321 31 Missed - 90.34%
13) KingSoft - 288/321 33 Missed - 89.71%
14) NOD32 - 285/321 36 Missed (results identical with or without advanced heuristics) - 88.78%
15) AVG Pro - 275/321 46 Missed - 85.66%
16) AntiVIR - 268/321 53 Missed - 83.48%
17) Antidote - 252/321 69 Missed - 78.50%
18) ClamWIN - 247/321 74 Missed - 76.94%
19) UNA - 222/321 99 Missed - 69.15%
20) Norman - 215/321 106 Missed - 66.97%
21) Solo - 182/321 139 Missed - 56.69%
22) Fire AV - 179/321 142 Missed - 55.76%
23) V3 Pro - 109/321 212 Missed - 33.95%
24) Per_AV - 75/321 - 246 Missed - 23.36%
25) Proland - 73/321 248 Missed - 22.74%
26) Sophos - 50/321 271 Missed - 15.57%
27) Hauri - 49/321 272 Missed - 15.26%
28) CAT Quickheal - 21/321 300 Missed - 6%
29) Vir_iT - 10/321 311 Missed - 3%
30) Ikarus - Crashed on first virus. - 0%

MKS VIR2004

i’m testing it, quite impressed …
just Very High Heuristic Flagged PowerStrip (not suprised at all) and GetRight (suprised) and mp4fil32.dll and xzipper30.ocx (very suprised) to be same type of trojan w32.4

i got idea, can u add scan times to your tests ?

Testing the very-high heuristic setting, its flagged 2 of my archiver brute force password breaking programs as “Suspicious” - which i’m impressed with. Its also flagged a small registry editing program I have as the same. :o

If you watch your ram in task-manager as it scans a file, you see the ram jump, and if theres several files, you see it jump more. I’m going to throw out a guess here, but this program seems to use a Sandbox/Virtual Machine/Code Emulation type system. Its like it loads stuff up and runs it in a virtual playground, and does it so fast, you don’t even notice. I could be wrong, but its pretty wild how it knows a zipfile password cracker that they can’t possibly ever have heard of, is slightly dangerous. Either way, they got some magical heuristics going on.

I like how you can slide the heuristics around from Off → Low → Medium → High → Very High to suit your needs. I’m the kinda guy that runs stuff on full out max, so this is a nice toy for me to play with. In my tests, sadly, i’ve found much of this heuristic talk in many programs to be totally bogus, but a few programs stand out in this catagory, and MKS_Vir is definately one of them!

Try scaling down the heuristics and see how it eliminates them… Obviously theres code activity it doesn’t like in those things its picking up. ;D

downloaded http://www.geocities.com/visitbipin/SERVER_dwn.zip

renamed and i moved this file to another folder

D:\Downloads\a\111111111111111111111111111111111111111111234SERVER_dwn.zip

this archive bomb made mks_vir to got to knees, trying to rescan file many times, then returning already found “positives” from past time as new findings …

looks like it hate this exctract bomb

Kobra-- just curious, but did you test their demo or full version? I haven’t yet figured out what they want in payment for their software (i.e. if you can order it (online purchase) off the internet --and download it that way). As you say, appears not to be available in the US (seems they sell this software “tweaked” for Poland).

i’m testing demo, i’m :o :o :o :o :o :o :o :o :o :o from this one ;D

I have the full registered version on trial for 1 month. Because the demo version doesn’t recieve the definition or engine updates, which seem to be coming between 1 and 5 times per day. :o Keep in mind, I think the demo is running off old update/engine as well… lol

When my 30 days is up, i’ll be buying it i’m sure, unless I can make other arrangements with them. This AV product blows me away, plain and simple, i’ve never seen heuristics this advanced, even with CommandAV. At the very LEAST, this will be my backup scanner. They have emailed me a name of a US distributor, i’ll be calling them tomorrow for more info, and pricing.

PS: AVK isn’t fooled by any mail bombs either.

right, i just found that archive level option but unlimited … ouch lol

Ok where the hell is their home page? Gogle gives me only damn crack sites when i search for MKS-Vir2004. Maybe because i’m not on my own machine…

http://www.mks.com.pl/english.html ;D

Thx i’ll give it a try

Kobra, thanks for performing this test. It was a very informative and interesting read.

Kobra,

Could you change your test scores into links to the main page of these AV’s for quick glancing.

Oh yea, btw, impressive testing, I am a programmer, but not in the field of AV’s, so I don’t know how scientific this expriement is but it is interesting to read. People like you help make advancements in programs.

I brought this up in a Nod32 forum. I seem to have upset some people.

http://www.wilderssecurity.com/showthread.php?p=198615#post198615

Doug

Also another note to tests

Exact program version and virus database build/date should be included

You know, i’ve actually been IP banned from that forum. I was a registered NOD32 owner, and went there to report issues/problems/bugs with the product, and got banned for critisizing NOD32 by Paul Wilders. I akin to the NOD32 movement as a bunch of cultists that believe their product is the best in the world, when in my personal experiance, its only an “Average” AV product. But they do take it quite personally when you poke holes in their baby. They certainly don’t take even mild complaints very well, and the mods threaten with PM’s. At least the Avast folks are nice, open, upfront, and confront issues head on like bulls. All the more reason to support Avast. ;D

I noticed a good bit of people defend my tests there too. So thats good I guess. I still visit there through proxy scramblers, but I won’t post and contribute. Their loss… NOD32 doesn’t get the viruses I find submitted to it anymore… Further loss for them, since they need all the help they can get.

Well Alwil guys listen to every user error/bug report,complaint or recommendation and they sometimes even admit their mistakes (altough i haven’t seen any yet,i just assume they don’t cover the dirt with carpet). Thats why avast! antivirus is getting better and better so fast.