Windows 7: McAfee Total Protection & Windows Defender

Perhaps, I should have said -- all attacks so far have been caught...

I'm not trying to pick at your wording as much as I'm attempting to change your mindset. Your computer could have several infections right now and you might never know about them. Some infections have gone undetected for years. You just cannot say with certainty that all infections/attacks ("so far" or otherwise) are being detected/prevented.

From here:
~~~
I realize that the article quoted above is from 2008. Things have probably gotten worse since then. The contestants are not creating a new virus, they modify an existing/known/detectable virus so that it is no longer detectable by signature or heuristics.


From here:
The author of that article has the same flawed mindset. The quote above should read:We have no way of knowing how many pieces of malware were created that went undetected.


You might not want to do certain tasks online (e.g. banking).

Interesting recent test by VoodooShield developer - execution of malware samples and detection rates by top AV's including Norton, Avast & McAfee that have been mentioned in this thread. It's a long video but you can skip sections to see each AV in action.

White listing (done well) is probably the best protection. The "Race 2 Zero" contest is sponsored by a company that makes a security app that uses White Listing. None of the malware that the contestants created got thru the sponsor's security app. VoodooShield's claim to fame is the auto mode (so that the user does not have to authorize each app in the white list).

VoodooShield is an excellent app; however, some comments about that video:
The video is probably a great marketing tool. I wonder if VoodooShield's marketing department requested the test and the video or if the developers came up with the test method all by themselves.

They make this statement, "once a single line of malicious code is allowed to run... all bets are off". Many of those 1000 files that they ran, probably never executed a single line of malicious code. The antivirus apps being tested opted not to flag the installer of the malware. We don't know if the antivirus apps would have stopped* each piece of malware once it was extracted from the installers.

*stopped before "a single line of malicious code is allowed to run".

It is unfair of VoodooShield to make this statement, "We figured 5 months was enough time for leading Antivirus software to sufficiently detect these known threats." The testing shown does not indicate that the Antivirus software involved was not going to deal with the infection once it was unpacked from the installer (before "a single line of malicious code is allowed to run"). The testing simply shows that the Antivirus software being tested does not handle the installers in a way that VoodooShield would.


For the "non-installer files" that ran, but threw an error due to some missing file (presumably quarantined by the Antivirus software being tested): there was no analysis to determine if any harm was done. e.g. was a single line of malicious code allowed to run?

VoodooShield seems to consider allowing a bad file to be written to the hard drive as a failure - even if the bad file never executed. That said, there were clearly some files that ran unabated. We just don't know how many or how damaging (if at all) they were.


Caveats to the info above:
I mainly focused on what I saw as the flawed handling of installers in the testing. Some of the infections being run in that video were not installers. The exe being run was the malicious app itself. There will be malware that some Antivirus software will intentionally not flag as malware. It is a subjective call as to what constitutes a malicious file or action. You will never get all of the Antivirus companies to agree on just what constitutes a malicious file or action. For example, I have multiple key loggers installed on this work laptop. Some Antivirus apps have quarantined some of them. Others recognize them as non-malicious.

I know that an "installation screen" that is waiting for Next to be clicked might be a ruse. The installer might very well be doing malicious things without the need for user input. Without a careful analysis of the impact of running each of those 1000 apps, they really should not claim a level of failure on the part of any Antivirus software.

Hi UsernameIssues - all the points you make are valid. However Voodooshield is designed not to let any new (to the machine) executables run without the user's say so once the files have been analysed for safety. It might well block installers that are harmless unless the user doesn't pay attention to installation options.

Good point!

Personally I've been using whitelisting software for more than two years.

Autopilot Mode is going to block anything considered unsafe by the app. Personally I prefer "Smart Mode" where I get to make the decisions.