Review of the Top Picks in 2012 0-Day Benchmarks

Talk about internet security, computer security, personal security, your social security number...
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Review of the Top Picks in 2012 0-Day Benchmarks

Post by GµårÐïåñ »

I am always on the lookout for promising and effective security solutions. I came across two tools that have been put through an extensive battery of zero-day threats and came through with 100% detection. I decided to check them out, one of them was DefenseWall but I found that although for a professional like myself it is quite effective, for the average user the interface and HIPS complexity may be overwhelming, specially with the less than user friendly interface it can feel very overbearing. The second tool that also had a perfect record and has had this record for a long time was Emsisoft Anti-Malware with a very intuitive and elegant interface. It is not very intrusive and works with little interference and resource hogging.

Between the only two that scored a 100%, I would recommend Emsisoft Anti-Malware for being good and effective - you can download a fully functional 30 day trial which offers active protection in real-time as well. After the 30 day trial, it becomes a free tool which can only be used manually, much like the MalwareBytes Anti-Malware unregistered version. The difference is that while MalwareBytes only caught 78% of the threats, Emsisoft caught 100% and gives you a full 30 days of active protection as well and a reasonable pricing if you choose to purchase it and even if you don't, it becomes a free manually runable tool that is still as effective, minus the active protection. And unlike MBAM which will not auto update unless you register, even the free version of EAM will auto update on a regular basis, which again sets it apart.

I would highly recommend users to check this out, I believe you will find it worth your while. For anyone who has used MBAM for any length of time, myself included for years, and finds it a useful tool, it would serve you well to try this tool as it outperforms MBAM hands down and it never hurts to have another great tool to check your system. Although I am still keeping the free version of MBAM on hand and will continue to use it, I am adding this tool to my arsenal as well and will be using it to double check my system to cover anything missed by MBAM. Another thing that set this tool apart from MBAB by a huge margin was the fact that any item it detects and quarantines are checked against future signature updates to ensure that you are notified of any false positives and have the opportunity to restore them, which is something no one else does. Also the frequency by which it updates its database sets it apart because it allows it to stay one step ahead of any zero day threat by being ready for it before it hits by updating to account for it the moment it becomes detected or known. Unlike MBAM that you have to update manually, this tool aggressively updates to ensure its always current. It also has a sophisticated algorithm that allows for rules creation much like firewalls and that's another nice thing about it.

If you choose to try it out, I would love to hear your feedback on it and would appreciate if you share what you think about it with me. You can also find more test results by checking here: http://www.mrg-effitas.com/current-test ... t-results/
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Review of the Top Picks in 2012 0-Day Benchmarks

Post by therube »

I have MBAM, licensed.
Can't say it's done much for me, on my own systems.
Though it has been great for cleaning up others systems, after the fact.

Looking now, nope, not running.
And hasn't for some time now. Just because.

I had put in NoVirusThanks EXE Radar Pro, free for personal use, & that had been running, alerting me when something tried to run. But then I downloaded an update, & have yet to put it in, so have been without for a couple weeks now.
forum, wilderssecurity: New Antiexecutable: NoVirusThanks EXE Radar Pro

Oh, I'll get around to it ...

Haven't tried either product you've mentioned.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/17.0 Firefox/17.0 SeaMonkey/2.14a2
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Review of the Top Picks in 2012 0-Day Benchmarks

Post by Thrawn »

I'd be interested if I were running Windows :D. Happy Linux user there, though.

Am I correct in thinking (from its website) that DefenseWall provides an executable whitelist? That would be cool. I believe I could set that up using AppArmor, but I haven't gotten around to it yet.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:15.0) Gecko/20100101 Firefox/15.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Review of the Top Picks in 2012 0-Day Benchmarks

Post by therube »

I saw & had wondered about that too, & took a quick look, but the emsisoft website was confusing enough as it was, so I just let it be.

Updated MBAM, installed fine, required a reboot on both XP & Win7.

NoVirusThanks EXE Radar Pro, the updated version (I had an older), 2.6.6.0, I first tried to install overtop the old - without success. The install installed, but when it went to start up, got an error message, "Error: Service Timeout! Aborting...". Uninstalled. Reinstalled. Same. Uninstalled, reinstalled the older version, 1.3.6.5, & it installed & worked fine. Uninstalled 1365. Reinstalled 2660. Same. Rebooted (as I had done numerous times throughout), knowing that it should load automatically on boot. It did not. Attempt to open & gave the same error message. Yet throughout, the service, ERPx86Svc, had loaded into memory, yet the program would not run. Removed yet again & reverted back to 1365.

That was on XP. Have not tried NVTE on Win7 x64 yet.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/17.0 Firefox/17.0 SeaMonkey/2.14a2
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Review of the Top Picks in 2012 0-Day Benchmarks

Post by GµårÐïåñ »

Thrawn wrote:I'd be interested if I were running Windows :D. Happy Linux user there, though.

Am I correct in thinking (from its website) that DefenseWall provides an executable whitelist? That would be cool. I believe I could set that up using AppArmor, but I haven't gotten around to it yet.
Yes DefenseWall provides full on HIPS, hence why a bit more complicated for the average user, interface is not that friendly either.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Review of the Top Picks in 2012 0-Day Benchmarks

Post by GµårÐïåñ »

therube wrote:I saw & had wondered about that too, & took a quick look, but the emsisoft website was confusing enough as it was, so I just let it be.

Updated MBAM, installed fine, required a reboot on both XP & Win7.

NoVirusThanks EXE Radar Pro, the updated version (I had an older), 2.6.6.0, I first tried to install overtop the old - without success. The install installed, but when it went to start up, got an error message, "Error: Service Timeout! Aborting...". Uninstalled. Reinstalled. Same. Uninstalled, reinstalled the older version, 1.3.6.5, & it installed & worked fine. Uninstalled 1365. Reinstalled 2660. Same. Rebooted (as I had done numerous times throughout), knowing that it should load automatically on boot. It did not. Attempt to open & gave the same error message. Yet throughout, the service, ERPx86Svc, had loaded into memory, yet the program would not run. Removed yet again & reverted back to 1365.

That was on XP. Have not tried NVTE on Win7 x64 yet.
I have used MBAM myself to years too and that's why I was so disappointed that they performed so poorly and decided to give the competition that did well a look and see what gives. I have to say (as I have said before) while I am not dumping MBAM, I have found this tool to be much more effective, even after the trial period wears off and becomes free version like MBAM. Still has more features without active protection than MBAM and the licensing for the two are very similar, in fact the scheme for MBAM costs more in the long term. Anyway, to each their own, it was put in this forum because its where we discuss security, non-specific to NS, apparently some people are too busy being a smartass to get that.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Review of the Top Picks in 2012 0-Day Benchmarks

Post by therube »

Have not tried NVTE on Win7 x64 yet.
Same exact situation & error message on Win7 as I got on XP.
So so far, no go for me with the current version.
I emailed them. Lets see if I get a response.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 SeaMonkey/2.14a2
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Review of the Top Picks in 2012 0-Day Benchmarks

Post by therube »

Looking around at mrg, I still can't really make heads or tails out of just what or how they're testing.

In any case, at least for whatever it is that they do, their blog had some interesting (seemingly) data.

http://www.blog.mrg-effitas.com/

Some general themes, as I see it, & from the data presented (which therefor may or may not be meaningful).

SuperAnti Spyware sucks. Failing often & over time. Far more then any other product.

BluePoint, never heard of & seems to do well. Seemingly they use a whitelist approach (some other product comes to mind) along with a "cloud". Their website is a joke (as are many I've looked at of late).

Others that have a tendency to be "winners" (NOT); MS, McAfee, AVG.
Kaspersky looks to have done well. And Emsisoft.

But then we know that traditional A/V are fail.

For web based threats, we all already know the answer there.

MBAM does well. But just what does it do? It can block "bad" web sites, but so what. We don't need that. Otherwise it relies on "definitions", which in my book should be fail. Though for the times I've needed it, it has done very well in after the fact clean ups. It is light (even if it uses quite a bit, relatively speaking, of memory, ~112 MB for its' "service"), & is a quick scanner. Otherwise I've never really seen it do anything? (There should be some non-virulent test sites out there ...)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 SeaMonkey/2.14a2
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Review of the Top Picks in 2012 0-Day Benchmarks

Post by Tom T. »

(At this point, there was some discussion of possible motives or conflicts in recommending products that engage in referral programs. Being completely O/T to the merits of the product itself, those posts were split and moved to Forum Extras > Ragnarök.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:15.0.1) Gecko/20100101 Firefox/15.0.1
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Review of the Top Picks in 2012 0-Day Benchmarks

Post by Thrawn »

As well as mrg, it may be worth examining the winners of the matousec Proactive Security Challenge. Rather than focus on catching 0-days, it looks at whether tools can do things like defend themselves, prevent unauthorised outbound connections, prevent additions to aurorun lists, prevent malicious system shutdowns, etc. The winner was Comodo, but most of the big names failed miserably in the early rounds.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (Linux; U; Android 2.2.1; en-gb; GT-S5570 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Review of the Top Picks in 2012 0-Day Benchmarks

Post by Tom T. »

IMHO, it's unrealistic to expect any single tool to do everything, and it's also unsafe, creating what Bruce Schneier calls a "single catastrophic point of failure". Defense in depth, with redundant protections, is much safer.

Some sort of sandboxing or virtualizing solution should prevent *any* Registry writes, not just autoruns, and should block shutdowns, as well as contain any malware that does get inside. People who leave the same browser open for days or weeks should think about the protection they're forfeiting by not restarting it (and dumping stuff trapped in the box).

Firewall (standalone, for this writer): They zinged ZoneAlarm for "failing" the Runner test, where a malicious program imitates (in this case) IE, and asks for Net access. They granted that ZA gave a pop-up alert, but said that since the alert was for "IE", most users would allow it. IDK about the newest version of ZA for Win 7 etc., but on mine, it also would include a red warning: "WARNING: This program has changed since the last time it ran!" And that's just even if I update Fx. So it would surely warn the user that the browser had changed, and if I didn't update it, and it didn't update itself (which I would not allow, at least without notification and permission), then .... flag. No unauthorized outbound connections.

AV -- yeah, behind the curve, but as Schneier notes, some are free and lightweight, and they do catch a lot of attacks that are still out there. Not everything is a 0-day. Lots of old viruses floating around. So, why not?

A certain developer of a certain browser security tool once said, "Do one thing, and do it well." OK, it's added more "things" but they're all about one thing: Securing your browser. It doesn't pretend to secure your office suite, your operating system, etc.

There was an old thread by someone who was practically spamming for Comodo, or so one would think, who claimed that their Suite made NS's default-deny JS policy unnecessary. Giorgio took three minutes to write two JS attacks POCs (yes, three *minutes*) that promptly executed in the user's Comodo-protected machine. Perhaps that user misunderstood the literature, rather than Comodo over-selling, but the point is that the "I am all you need" approach is very likely to give a false sense of security. [/soapbox]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:15.0.1) Gecko/20100101 Firefox/15.0.1
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Review of the Top Picks in 2012 0-Day Benchmarks

Post by Thrawn »

Tom T. wrote:IMHO, it's unrealistic to expect any single tool to do everything, and it's also unsafe, creating what Bruce Schneier calls a "single catastrophic point of failure". Defense in depth, with redundant protections, is much safer.

Some sort of sandboxing or virtualizing solution should prevent *any* Registry writes, not just autoruns, and should block shutdowns, as well as contain any malware that does get inside. People who leave the same browser open for days or weeks should think about the protection they're forfeiting by not restarting it (and dumping stuff trapped in the box).
Yeah...I really should sit down and get AppArmor running for everything on the system. Once the kernel is enforcing an executable whitelist, with restrictions even on the privileges of allowed processes, then I'll be pretty confident that we're sufficiently virus-proof. And NoScript is installed globally.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Review of the Top Picks in 2012 0-Day Benchmarks

Post by Tom T. »

Thrawn wrote:Yeah...I really should sit down and get AppArmor running for everything on the system. Once the kernel is enforcing an executable whitelist, with restrictions even on the privileges of allowed processes, then I'll be pretty confident that we're sufficiently virus-proof. And NoScript is installed globally.
Assuming that the kernel itself is securely coded and protected ... IDK anything about Ubuntu kernel, but Windows Update has had kernel patches, often covering multiple vulns, almost every month for the past two years or so. Most affect XP, Vista, *and* 7. Kinda scary.

Fortunately, *most* have been local privilege-escalation vulns only -- user who is logged on locally as a limited or guest user can gain admin privilege, but cannot be exploited by anonymous remote attacker. But it doesn't give high confidence in the basic design. Hope Ubuntu has the proper foundation.

ETA:
Something equivalent to AppArmor looks to be far beyond the scope of the average (Win/Mac) home user, although by definition *nix users tend to a much higher tech level. Shame.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:15.0.1) Gecko/20100101 Firefox/15.0.1
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Review of the Top Picks in 2012 0-Day Benchmarks

Post by therube »

There appears to be a new IE 0-day out & about.

This is how various AV fare so far (3/34), Moh2010_dec.swf. And another, Protect.html.

Now Emsisoft is not detecting them, but wonder if its other features (not that I know what they are) would have protected you? (Suppose if it has an A/E, it would have caught when the, in this case, 111.exe file attempted to run. But then so would/should any A/E.)


Zero-Day Season Is Really Not Over Yet
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/17.0 Firefox/17.0 SeaMonkey/2.14a2
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Review of the Top Picks in 2012 0-Day Benchmarks

Post by Tom T. »

therube wrote:There appears to be a new IE 0-day out & about.
Shocked, I tell you, shocked! :mrgreen:

Another among thousands of reasons not to use IE.
Zero-Day Season Is Really Not Over Yet
When will it ever be? Never. Hence, multiple layers of defense.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:15.0.1) Gecko/20100101 Firefox/15.0.1
Post Reply