Lies, big lies and antiviruses. Part Four. "Universal Heresy"
Security features are black boxes for their users. A simple man in the street is not able to understand the effectiveness of the protection that he bought or is going to. Need tests. Tests organized by professionals.
Until recently, there were only two types of tests of means of protection against infections — the direct and retrospective test of the scanning antivirus engine. Nothing else. At all. The direct test, when a collection of about a million samples is taken, it is not clear how and where it was collected, with an unknown amount of garbage that does not start at all, and a scanning engine is let in on all this disgrace. Cheap and angry. A retrospective test is a test with “frozen” signature bases. They cease to be updated for several weeks, and then the same anti-virus scanner is set on freshly minced meat.
')
As you can see, in such tests there is no place for innovative approaches to preventing infection. Only the scanning engine is tested, as if nothing else exists at all. However, most modern antiviruses have a behavioral blocker and URL filter, which cannot be tested using the old methods.
And then there was the organization AMTSO, which is developing approaches for a radically new, so-called dynamic, testing. That is, links to malicious applications are collected and launched on a test bench. Here both reference filters and a behavioral blocker can work, and the test itself becomes more approximate to reality.
Dynamic tests are technically much more difficult than a simple scan engine run through a collection of malicious modules. In fact, none of the testing organizations do this test on a regular basis, while some are only at the preparation stage. Dynamic tests to prevent infection, apparently, firmly enter our lives only in 2011-2012, becoming the main measure of the effectiveness of the prevention of infection.
I believe that many manufacturers will try to silence or distort the results of such tests, closely concentrating on the outdated "signature", since the results will not be in their favor. In November 2009, the first dynamic test was released by the Russian Anti-Malware security portal. Here are his results: http://www.anti-malware.ru/antivirus_test_zero-day_protection . As you can see, the old approaches to ensuring the security of computers with a crash were lost by the new one, making their way into life. Now look at the reaction of manufacturers of protective equipment. Only Kaspersky Lab responded, with marketers who with a slight movement of their hands turned the second place of Kaspersky Internet Security into ... first! Do not believe it - here's the link: http://www.kaspersky.ru/news?id=207733114 . All the others simply ignored the test, as if it did not exist at all. Well, right - the villane should not know the facts that embarrass the mind, they should believe and work, and most importantly, feed the owner. So that the mere thought that there are alternative approaches to protecting against the infection of a computer is perceived by them as universal heresy!
PS The final article of the cycle is in a week.
Until recently, there were only two types of tests of means of protection against infections — the direct and retrospective test of the scanning antivirus engine. Nothing else. At all. The direct test, when a collection of about a million samples is taken, it is not clear how and where it was collected, with an unknown amount of garbage that does not start at all, and a scanning engine is let in on all this disgrace. Cheap and angry. A retrospective test is a test with “frozen” signature bases. They cease to be updated for several weeks, and then the same anti-virus scanner is set on freshly minced meat.
')
As you can see, in such tests there is no place for innovative approaches to preventing infection. Only the scanning engine is tested, as if nothing else exists at all. However, most modern antiviruses have a behavioral blocker and URL filter, which cannot be tested using the old methods.
And then there was the organization AMTSO, which is developing approaches for a radically new, so-called dynamic, testing. That is, links to malicious applications are collected and launched on a test bench. Here both reference filters and a behavioral blocker can work, and the test itself becomes more approximate to reality.
Dynamic tests are technically much more difficult than a simple scan engine run through a collection of malicious modules. In fact, none of the testing organizations do this test on a regular basis, while some are only at the preparation stage. Dynamic tests to prevent infection, apparently, firmly enter our lives only in 2011-2012, becoming the main measure of the effectiveness of the prevention of infection.
I believe that many manufacturers will try to silence or distort the results of such tests, closely concentrating on the outdated "signature", since the results will not be in their favor. In November 2009, the first dynamic test was released by the Russian Anti-Malware security portal. Here are his results: http://www.anti-malware.ru/antivirus_test_zero-day_protection . As you can see, the old approaches to ensuring the security of computers with a crash were lost by the new one, making their way into life. Now look at the reaction of manufacturers of protective equipment. Only Kaspersky Lab responded, with marketers who with a slight movement of their hands turned the second place of Kaspersky Internet Security into ... first! Do not believe it - here's the link: http://www.kaspersky.ru/news?id=207733114 . All the others simply ignored the test, as if it did not exist at all. Well, right - the villane should not know the facts that embarrass the mind, they should believe and work, and most importantly, feed the owner. So that the mere thought that there are alternative approaches to protecting against the infection of a computer is perceived by them as universal heresy!
PS The final article of the cycle is in a week.
Source: https://habr.com/ru/post/104668/
All Articles