Re: Review of the Top Picks in 2012 0-Day Benchmarks
Posted: Thu Oct 04, 2012 8:42 pm
I was gifted multiple Emsisoft keys (through various forums, I get keys gifted to me from people). I personally found it to be top notch but (I'm a Linux user and have no use for Antivirus on my Windows partition as it's purely for games and only rarely connects to the internet for online games) I put it on my mother's computer and she had quite a bit of trouble with blocked websites (web guard) and a lot of popups for behavioral blocking. I could have toned it down but I felt there was no need for it so I just moved back to MSE.
I would be wary about flash-tests results. The methodology is, in my opinion, very broken. It works on a set of 'stages' for malware ie: if you catch malware 1 you are tested against malware 2 and if you miss malware 2 they don't bother testing malware 3. That's not how it works in the real world.
On top of that there's no distinction between a definitive result (ie: blacklist signature/ definitive heuristics) and a user interaction (ie: This program tried to run? Block? Sandbox?). I can write a program that universally injects a .dll and intercepts all calls to the system - I've just broken every piece of malware, but it's gonna be the biggest pain in the ass to run to the point where there's no security at all. There's a fine line when it comes to HIPS.
@Thrawn,
Apparmor's wonderful. And if you're looking for an AE you can set Grsecurity to deny execution from a UserID and then simply log in from that ID (you can deny socket access etc and have a really 'least privilege' account).
@Tom,
Too true. Zero day season never ends nor will it ever.
I would be wary about flash-tests results. The methodology is, in my opinion, very broken. It works on a set of 'stages' for malware ie: if you catch malware 1 you are tested against malware 2 and if you miss malware 2 they don't bother testing malware 3. That's not how it works in the real world.
On top of that there's no distinction between a definitive result (ie: blacklist signature/ definitive heuristics) and a user interaction (ie: This program tried to run? Block? Sandbox?). I can write a program that universally injects a .dll and intercepts all calls to the system - I've just broken every piece of malware, but it's gonna be the biggest pain in the ass to run to the point where there's no security at all. There's a fine line when it comes to HIPS.
@Thrawn,
Apparmor's wonderful. And if you're looking for an AE you can set Grsecurity to deny execution from a UserID and then simply log in from that ID (you can deny socket access etc and have a really 'least privilege' account).
@Tom,
Too true. Zero day season never ends nor will it ever.
