Hi,
On 5/12/06, Christoph Cordes <[EMAIL PROTECTED]> wrote:
> Maybe it is of interest:
> http://nepenthes.mwcollect.org/stats:scannertest
Not really. You have to take the results with a grain of salt for several
reasons:
The test is 6 months old (even if heise.de still sells it as "News")
We notified them, and they added a note on the results dating.
Many scanners rely on heuristics - like NOD32 for example - was the heuristic
used at all ?
There is no info, if the samples are working. Sometimes broken binaries are
caught by the honeypot. A scanner that relies on a strong unpacking engine,
like Kaspersky, could fail to unpack such a sample and fail to detect it while
a scanner that doesn't make use of too many unpackers and relies more on
searchstrings against runtime packed malware (and you can find a lot of this in
a honeypot) is able to find enough to raise a detection - so, is a scanner that
doesn't detect a broken sample really a bad thing?
Could be reported as BrokenPE?, but in generell, you are right.
To verify a sample works, one has to run it, like
CWSandbox http://www.consolo.de/html/cwsandbox.asp
the movie requires latest mplayer win32 codecs, happy wmv foobar.
I added some links to other pages, and if a sample/hash has 30 hits,
one can be sure it is a working one.
I could go on like this - actually this test does not tell too much. Antivirus
Testing is a complex business, and while the Nephentes Project most likely had
good intentions, it should be noted that this test result leaves much to ask
for and can't be used to make any statement about the overall quality of a
product.
We still *have* that good intention, and these stats were written as
some advertising for nepenthes, not as a 100% reliable source for
comparisions between different scanners.
MfG
Markus Koetter
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
