Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 2435 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Virus detection

TimRay

I am evaluating a few different AV packages with a view to moving away from Symantec Endpoint Protection which I am unhappy with. As part of my evaluation of each package I have downloaded a collection of viruses from virussig.com and scanned them to see how many are identified.

With Sophos, if I create a new scan and include just the folder containing the viruses (sub-folders are automatically selected) it doesn't find a single virus. However, if i right-click on the folder and select Scan with Sophos Anti Virus, it detects 579 viruses (incidentally Kaspersky found 2600 in the same folder but that's a differnt matter). Can anyone explain why the normal  scan doesn't find these viruses but the right-click does.

Thanks

:14827


This thread was automatically locked due to age.
  • 0

    Hello TimRay,

    first of all (apart from the fact that I don't know who virussig.com is as the domain comes and goes :smileyhappy:) sensible evaluation of AV products against a collection of threats is not a simple task. With literally millions of threats and variant scanning "just" a few thousand items has no real significance. 

    There's a major difference between scheduled/immediate and right-click scans: A scheduled scan per default scans only certain types of files and does not scan inside archives - a right-click scan scans all files and inside archives. How did you set up the "normal" scan?

    Christian

    :14831
  • 0

    Hello Christian

    I just tried the default settings for the scheduled/immediate scan - i have since tried customizing the scan but it never finds anything - the files are not compressed.

    Sorry but the download was from http://www.virussign.com/index.html - I know the results of this type of test are not very conclusive but it's hard to get a feel for a product without some real tests. For example I scanned the same folder with Symantec and it took more than twenty times longer to scan and found less threats than other products.

    :14833
  • 0

    Thanks for the link. As these files have no extension a "normal" scan does not include them. I had to configure it to Scan all files (as I assumed). This is - as mentioned - the default for right-click (and on-access has BTW Scan files with no extensions set).

    Can't judge the significance of the detection rate against these samples (of course the more the better but some non-viral malware might have only very limited prevalence and practically "extinct" in the wild). I think that performance and sensitivity of on-access (and download) scans and "zero-day" protection is more important, as well as manageability and last but not least a vendor's support and reaction time to new threats.

    HTH

    Christian

    :14841
  • 0

    Thanks Christain - I  just found that out for myself - it does seem a very strange default scan option though surely the default is scan everyhting unless the user excludes something.

    I appreciate what you say about the viruses i downloaded but as I said before you cannot evaluate a product without finding a virus and this is a safe and controlled test which i can repeat with different av solutions. The results don't mean much but do allow me test the software fully thus avoiding surprises when users encounter viruses.

    I'll continue with my evaluation

    Thanks for the explanation

    Tim

    :14843
  • 0

    Thanks for the explanation

    You're welcome.

    it does seem a very strange default scan option

    It might seem like peculiarities but different vendors have different approaches - and it often can't be decided which is better (although this being a Sophos forum you probably know the "right" answer :smileywink:). I can only speak for the Sophos setup.

    • On-access should scan all "executables" (including also for example PDF, .INI and so on) and "potential executables" (as some browsers download/cache files without an extensions these too are scanned).
    • A "normal" (scheduled) scan scans "executables" only as it is unlikely that cached items are "re-used" outside a browser
    • A right-click scan is for paranoid mode :smileywink:

    I'd like to mention two more facts which are often questioned:

    1. Archives are not scanned by default: in order to run a malicious item has to be unpacked and then opened - at this point it is scanned by the on-access scanner and that's sufficient
    2. For the same reason mail is not scanned (neither in transit nor when you view the body only) - but an attachment is when it is opened

    Christian

    :14845