Test Results are Good 

system · 2007-03-13T02:34:35.000Z

Hello,

I was reading the av-comparatives report of febuary 2007, I would like to congratulate the Alwil team for once again achieving a high score however I would also like to ask why did a few AV’s including Avast fail to detect the polymorphic viruses ??

Thanks

Al968

DavidR · 2007-03-13T12:22:40.000Z

A polymorphic virus that changes its binary pattern each time it infects a new file to keep it from being identified is by its nature going to be difficult to detect.

http://encyclopedia.tfd.com/polymorphic+virus

In computer terminology, polymorphic code is code that mutates while keeping the original algorithm intact. This technique is sometimes used by computer viruses, shellcodes and computer worms to hide their presence.
Most anti-virus software and intrusion detection systems attempt to locate malicious code by searching through computer files and data packets sent over a computer network. If the security software finds patterns that correspond to known computer viruses or worms, it takes appropriate steps to neutralize the threat. Polymorphic algorithms make it difficult for such software to locate the offending code as it constantly mutates.

Encryption is the most commonly used method of achieving polymorphism in code. However, not all of the code can be encrypted as it would be completely unusable. A small portion of it is left unencrypted and used to jumpstart the encrypted software. Anti-virus software targets this small unencrypted portion of code.

So unless you detect the original polymorphic virus signature and you don’t have some other non-signature means of detection, you will be looking for something very small.

Lisandro · 2007-03-13T12:23:49.000Z

DavidR post:2:

So unless you detect the original polymorphic virus signature and you don’t have some other non-signature means of detection, you will be looking for something very small.

Won’t heuristics do their job here? :

system · 2007-03-13T14:22:06.000Z

DavidR post:2:

So unless you detect the original polymorphic virus signature and you don’t have some other non-signature means of detection, you will be looking for something very small.

Well, other antivirus software certainly seem to have no problems doing this.

avast! doesn’t seem to have done much work on its polymorphic virus detection rate since the last AV-Comparatives on-demand test either.

system · 2007-03-13T14:23:36.000Z

solcroft post:4:

DavidR post:2:

So unless you detect the original polymorphic virus signature and you don’t have some other non-signature means of detection, you will be looking for something very small.

Well, other antivirus software certainly seem to have no problems doing this.

avast! doesn’t seem to have done much work on its polymorphic virus detection rate since the last AV-Comparatives on-demand test either.

Unfortunatly I have to agree with you that Avast has not improved its engine for polymorphic engine at all. >:(

Al968

Lisandro · 2007-03-13T17:40:39.000Z

Any official answer for polymorphic detection? :

system · 2007-03-14T00:37:36.000Z

al968 post:5:

Unfortunatly I have to agree with you that Avast has not improved its engine for polymorphic engine at all. >:(

Al968

I don’t think so…

Read Igor’s reply on this thread

http://forum.avast.com/index.php?topic=24099.msg198092#msg198092

and when it comes to the important one that gets the real danger to Avast users in the real world, I believe Avast would definitely offer the 100% detections, as the case of Win32:Polipos last year that Avast detected them all 100% while so many scanners failed, e.g. NOD32, Trend Micro, Sophos, Panda, CA eTrust and of course, our beloved AVG. ;D

http://www.pcwelt.de/news/sicherheit/136731/index.html

I think some people don’t like such answer but that’s just how the story goes, search for Polip on this forum and you’ll see.

system · 2007-03-14T08:43:04.000Z

That’s how the story goes, but that doesn’t necessarily mean it’s true. I have personally run into many viruses and self-replicating malicious software that are not counted as part of the WildList.

Who defines “real threats”? Is there necessarily anyone with the authority and ability to list 100% of the malware that are circulating in the wild? I think not. It’s why tests using samples outside the WildList - such as AV-Comparatives - are important, because the WildList only contains a severely limited number of viruses that actually exist.

Without getting sidetracted by other issues, allow me to say that any security company who is satisfied by the mere fact that their product detects 100% of the WildList is in a very precarious position indeed.

As for the report you quoted, I believe it was conducted during April 2006. Part of the problem is that other vendors have attempted and succeeded in improving their polymorphic virus detection rate, while avast! seems to remain stagnant, as far as the results show…

Lisandro · 2007-03-15T21:43:31.000Z

Tech post:6:

Any official answer for polymorphic detection? :

Bump… I want to learn ;D

system · 2007-03-16T17:50:19.000Z

Me too !!!

Al968

Announcements