[Evaluation] reject blind superstition and deeply analyze five Mainstream anti-virus software

News source: Deep Technology Forum
Because many people blindly believe that they are even superstitious about some anti-virus software with a strong "advertising flavor", I have to write such an evaluation. This is not a small problem. If you are blindly superstitious and have not passed strict tests by yourself, then the virus will talk to your computer in the classic line described by Bao Ge in "Crazy Stone"-"public toilet? If you want to come, you can leave here!This test mainly targets the five most popular anti-Soft products on the Network (Kaspersky, rising star, weidian, red umbrella, NOD32, I hope this will be helpful to the selection of many friends!

I often see soft recommendation posts such as "XXX, the world's first", and "the world's top XXX" in various forums, which reminds me of the figure of Mr. lausdington in TV shopping, haha. Even the names of "XXX, anti-virus software for military purposes" are even suspended. It is ridiculous that everyone wants to understand that military computers are highly confidential and do not connect to the Internet, some machines connected to the Internet are certainly not the soft tools you have seen in some of the bragging posts. Imagine if the anti-virus software used by the military is open to the public, the foreign spies only need to spend some time preparing Trojans for this soft-kill vulnerability, so there are still secrets in the army ??? If you don't believe it, you can use the so-called military anti-virus software for testing, and I will be able to launch a trojan of this anti-virus software! It is because many people blindly believe or even superstitious anti-virus software that has a strong "advertising flavor" that I have to write such an evaluation. This is not a small problem. If you are blindly superstitious and have not passed strict tests by yourself, then the virus will talk to your computer in the classic line described by Bao Ge in "Crazy Stone"-"public toilet? If you want to come, you can leave here!

This test mainly targets the five most popular anti-Soft products on the Network (Kaspersky, rising star, weidian, red umbrella, NOD32, I hope this will be helpful to the selection of many friends!

Test Platform:
1) WINDOWS XP2 (no patch)
2) memory: 512 M
3) CPU: Inter (R) Pentium (R) processor 1.73 GHz 797 MHz

Evaluation content:
Create an experiment environment, install Windows XP SP2 and some common software before the evaluation, and then create a ghost image. Recover to the initial state before testing each security software to ensure the consistency of the test environment. All the software to be tested is installed on the system disk (drive c). After installation, the software is fully upgraded to ensure that the virus database and program version are up-to-date. The functional evaluation content is divided into the following aspects:
1) Use Environment
2) self-protection
3) Anti-Virus capabilities
4) resource usage
Note: 1) in the following evaluation data, "boot time" is the time period from power on to soft removal; 2) There are 460 samples in the sample test package, the total number of files scanned in each soft scan is different, because the types of soft scan are different. (If you do not understand, you can use Baidu)

Evaluation process:


Kabbah 7:
The installation package of Kaspersky Internet Security Package 7.0 (single-host) is 30.8 MB. After installation, it is 21.4 MB. You can select the installation path as you like. The installation process is short and the installation speed is remarkable! Finally, perform the authorization check, try for 30 days, and restart the system after the installation is complete.
There is no memory scan during the installation process. If installed on a computer that has been poisoned, it may encounter obstacles, especially for anti-virus software viruses.
First, we will upgrade Kabbah to the latest version:



After the update is completed, restart the computer. After each component is restarted and updated, restart the computer three times. After each restart, the computer will not be moved to the desktop for five minutes and the related system values will be recorded:



Maybe many people don't understand Why Kabbah's memory usage is so large? In the past, Kabbah was indeed a card machine, but with feedback from users, Kabbah also solved this problem on the surface and transferred the memory usage to the virtual memory. This practice of changing the tang and changing the tang remains to be discussed. Kabbah is a dual-process. After the system enters the welcome interface, an AVP process is started, while the other one is started only after the network is identified. What if a virus attack occurs during this interval?

Self-protection:
In normal system conditions, Kabbah not only does not allow service shutdown, but also does not allow Task Manager shutdown. We also tested the self-protection capability through APT software, kabbah's dual-process can withstand more than 10 shutdown functions in APT, which is very good at self-protection. But sometimes Kabbah has some problems, such as conflicts. How can we end it? Entering security mode? It's hard to find another person...
Kabbah scan Detection:
A virus folder is part of the virus collected by the author in recent months. Let's take a look at Kabbah's performance in the scanning process:
CPU and memory usage:



It is not hard to find that the CPU usage is still quite high during Kabbah's scanning, and the memory usage is even higher (plus virtual memory): close to 140 M, what a terrible data, if it's 256, do you still dare to scan?
Kabbah scan results:



Unfortunately, for my sample set, Kabbah's performance does not reflect its powerful database. Some people may say that Kabbah has active defense and can be blocked without features, let's take a look at the test below.
Kabbah Configuration:



After running a pigeon, the product has a BEEP. SYS that everyone is familiar with. It is good to create a service. Kabbah also detects that it will create a service. But what I want to say is, in the face of such a prompt, how many people will really understand whether to choose "allow" or "deny". The use of kill software is for your protection, instead of letting the user guess on his own!



I asked my roommates to look at this picture. They all answered the same question: dizzy. How do I know which one to choose? If I know, what else can I use it! Many people install software for system security. They hope that the software can create a quiet and harmonious environment for them. Can such a prompt make you quiet?
After you click reject, the following page appears:



My God, isn't Kabbah protected? Puzzled ......
The following is the installation process of an e-reader. Kabbah's active defense has also triggered alarms. How can this problem be selected?



In simple terms, this so-called "active defense" refers to the action alarm. Aside from the biggest problem that users really know how to make the right choice, many application software will be used normally, I often access the registry and so on. I would like to ask, who have so much patience to make choice questions and torture the poor mouse?
But in general, Kabbah is still doing well. A powerful virus database with simple active defense is enough for general viruses. Here, we hope Kabbah 2009 can give us more shining places.

Rising 2008 (with account safe ):
The Installation File of rising 2008 is 60.28 mb. After installation, the folder size is 168 MB. It supports four languages and becomes a great international player. Rising is the only one of the five kill softwares that will detect the memory before installation. It is commendable.
First, upgrade rising to the latest version:



Repeat the operations in the Kabbah test: After the update is completed, restart the computer. After the components are restarted, restart the computer three times. After each restart, the computer will not be moved to the desktop for five minutes, record related system values:



Rising has many processes, which are easy to end without being the core process. This is related to the software architecture and won't be described too much.

Self-protection capability:
Rising's self-protection capabilities have been greatly improved compared with the previous ones, and there has also been significant improvements in memory usage.
The related commands and Task Manager cannot close rising. The following shows whether rising can pass the APT test:
Through tests, we can see that two processes of rising are disabled, but they do not affect the monitoring of rising. We initially determined that these two processes are not the core processes of rising.
Strong self-protection capability.

Rising scanning Detection:
The scanning results of rising are as follows:



As a "brother", rising has a good sample channel in China, and the detection and removal rate is not low. Like Kabbah, rising has a legendary active defense. Let's also test it:



After running a relatively old virus, rising did not prompt, strange. Check the system time and find that the time has been modified:



After the restart, rising asked me to enter a new serial number for registration and then upgrade. Khan ......
Then another virus was run, and rising had prompts, which were rare: