On Fri, 2 Mar 2012 11:13:41 -0600, James E. Morrow
<(E-Mail Removed)> wrote:

>In article <XnsA0089C2EEF733HHI2948AJD832@no>,
>(E-Mail Removed) says...
>> Bear <(E-Mail Removed)> wrote in news:4f4d7919$0$292$14726298
>> @news.sunsite.dk:
>>
>> > http://bearware.info/screenshots/Img000.png
>> >
>> > The latest tests done by Emsisoft themselves.
>> >
>>
>> Just when I thought your testing methodology had issues, You'll even use
>> media puff pieces as official results.. Tell me something Bear, are you
>> "testing" by scanning a folder full of files you don't know for sure are
>> infact, malware? LOLz!
>>
>
>Bear appears to be conducting blind testing of malware. Now we can see
>just how blind it really is. '=)
Hey Bear
My last scan with Emsisoft: :

Files: 472268
Traces: 405133
Cookies: 0
Processes: 30

Found

Files: 49
Traces: 12
Cookies: 0
Processes: 0
Registry keys: 0

Scan end: 29/02/2012 21:07:26
Scan time: 7:23:58

Of which ONE was a REAL malware. The others were false
positives. False positives are a PITA.
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012

Shadow <(E-Mail Removed)> wrote in news:6s82l71vq90rpabo63uuaoaai5l5dklo43@
4ax.com:

> Of which ONE was a REAL malware. The others were false
> positives. False positives are a PITA.

The are not false positives. The software properties are those of malware.
You can easily submit the files to various services if you can't determine
which are false positives or not.

I would much prefer a few false positives over missed malware and one thing
you can be certain about, Emsisoft will catch more of those than any other.

To help ya:
Upload Malware
Anubis
Comodo Instant Malware Analysis
Comodo Valkyrie
GFI Sandbox
GFI Threat Track
EUREKA Malware Analysis Internet Service
Joebox
Norman SandBox
ThreatExpert
ViCheck
F-Secure Online Analysis
Avira Online Analysis
Malwr Analysis
Microsoft Analysis Services
Ether
NSI Sandbox
Online Malware Files Scan

VirusTotal
Jotti's malware scan
Virscan
Metascan-online
Dr Web Online Scan

--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail

Bear wrote:
> Shadow<(E-Mail Removed)> wrote in news:6s82l71vq90rpabo63uuaoaai5l5dklo43@
> 4ax.com:
>
>> Of which ONE was a REAL malware. The others were false
>> positives. False positives are a PITA.
>
> The are not false positives. The software properties are those of malware.

What do you mean by "The software properties are those of malware."?

FromTheRafters <(E-Mail Removed)> wrote in
news:jirl65$9fl$(E-Mail Removed):

> Bear wrote:
>> Shadow<(E-Mail Removed)> wrote in news:6s82l71vq90rpabo63uuaoaai5l5dklo43@
>> 4ax.com:
>>
>>> Of which ONE was a REAL malware. The others were false
>>> positives. False positives are a PITA.
>>
>> The are not false positives. The software properties are those of
>> malware.
>
> What do you mean by "The software properties are those of malware."?
>
>

Just that. A lot of software, especially security tools use code that
hackers also use or so similar they would be amiss in not alerting you
about the possibility. Of course, Emsisoft should have a better system to
'white list' many well known tools it alerts on, but I would rather an
alert and let me determine if it is good or not than miss something that is
malware. Besides, that very code /could/ be used within that program to
help enact and hide their injection code. What you think is a false
positive may not really be and is worth a second look.

Emsisoft will catch what other miss more often and more thoroughly and I
can put up with a few false positives as a trade off. Much better than not
good enough.

http://www.sans.org/security-resourc...lse_alarms.php



--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail

Bear <(E-Mail Removed)> wrote in
news:XnsA00ABAFED32E0bearbottoms1gmail.AC@130.225.254.104:

> Emsisoft will catch what other miss more often and more thoroughly and
> I can put up with a few false positives as a trade off. Much better
> than not good enough.

I'll add that Emsisoft's detection rate is the best in the business and
regardless of the fact it has more false positives, best in the business
means it detects more actual malware than the others. Good enough for me.

That also means it's competitors miss more malware than Emsisoft does...by
a good margin...if that wasn't clear.

--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail

Bear wrote:
> FromTheRafters<(E-Mail Removed)> wrote in
> news:jirl65$9fl$(E-Mail Removed):
>
>> Bear wrote:
>>> Shadow<(E-Mail Removed)> wrote in news:6s82l71vq90rpabo63uuaoaai5l5dklo43@
>>> 4ax.com:
>>>
>>>> Of which ONE was a REAL malware. The others were false
>>>> positives. False positives are a PITA.
>>>
>>> The are not false positives. The software properties are those of
>>> malware.
>>
>> What do you mean by "The software properties are those of malware."?
>>
>>
>
> Just that. A lot of software, especially security tools use code that
> hackers also use or so similar they would be amiss in not alerting you
> about the possibility.

I suspected that was what you meant, and sometimes the only difference
between an administrative tool and malware is in its usage. Shadow
didn't give enough information for any conclusion on your part about
whether or not they were false positives in *this* case.

> Of course, Emsisoft should have a better system to
> 'white list' many well known tools it alerts on, but I would rather an
> alert and let me determine if it is good or not than miss something that is
> malware. Besides, that very code /could/ be used within that program to
> help enact and hide their injection code. What you think is a false
> positive may not really be and is worth a second look.

I also like the better safe than sorry aspect of FP detections. They can
be a pain, and finding one is certainly no reason to re-image a system.

> Emsisoft will catch what other miss more often and more thoroughly and I
> can put up with a few false positives as a trade off. Much better than not
> good enough.

Everyone has their own comfort level as regards FPs.

[...]

Bear wrote:
> Bear<(E-Mail Removed)> wrote in
> news:XnsA00ABAFED32E0bearbottoms1gmail.AC@130.225.254.104:
>
>> Emsisoft will catch what other miss more often and more thoroughly and
>> I can put up with a few false positives as a trade off. Much better
>> than not good enough.
>
> I'll add that Emsisoft's detection rate is the best in the business and
> regardless of the fact it has more false positives, best in the business
> means it detects more actual malware than the others. Good enough for me.
>
> That also means it's competitors miss more malware than Emsisoft does...by
> a good margin...if that wasn't clear.
>
What's not clear here is how you equate a detection rate without regard
for the FPs. Detection rates (and tests generally) always diminish a
rating when FPs are encountered.

http://vx.netlux.org/lib/static/vdat/epperfct.htm

FromTheRafters <(E-Mail Removed)> wrote in news:jirpon$536$1@dont-
email.me:

> What's not clear here is how you equate a detection rate without regard
> for the FPs. Detection rates (and tests generally) always diminish a
> rating when FPs are encountered.
>

Not in my opinion. I would rather the best overall detection even if it
included more false positives, as I can figure out those and if a user
can't, there are tools available to help him figure out if it is a false
positive.

I would certainly not prefer a tool that picks up less malware but does a
great job not producing false positives...to me that is a duh.

Emsisoft picks up more malware than all it's competitors. That may change
in the future, as Comodo's tools are really great also and getting
better...I use both regularly at the moment.

Comodo's killswitch has replaced my task manager tool. It runs whenever I
do something that may be worthy of it's capabilities. Excellent tool.

--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail

FromTheRafters <(E-Mail Removed)> wrote in news:jirp5j$2gq$1@dont-
email.me:

> Everyone has their own comfort level as regards FPs.

I agree...I just offer my opinions. They obviously get along fine with
their comfort levels...so likely their opinion is just as good as mine.

Obviously I think my opinion offers better protection given the facts of
the issue. I will however, change my opinion when I am proven wrong by
someone or something or some technology comes along that is better.

--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail

Bear wrote:
> FromTheRafters<(E-Mail Removed)> wrote in news:jirpon$536$1@dont-
> email.me:
>
>> What's not clear here is how you equate a detection rate without regard
>> for the FPs. Detection rates (and tests generally) always diminish a
>> rating when FPs are encountered.
>>
>
> Not in my opinion.

http://www.av-comparatives.org/compa...se-alarm-tests

[...]