[Avcheck] DrWeb [was: avcheck-0.4]

Michael Tokarev mjt@tls.msk.ru
Tue, 18 Sep 2001 13:16:52 +0400 

Piotr Klaban wrote:
> 
> On Tue, Sep 18, 2001 at 01:53:04AM +0400, Michael Tokarev wrote:
> >  (and DrWeb is better than e.g. Avp IMHO) -- my servers runs
> >  DrWeb for about a month now, without troubles
> Can you write more about it - why DrWeb is better (except it runs
> without problems)?

I expected a question like this... ;)  Ok.

DrWeb is still not as "mature" as AVP, and it shurely has bugs
(it crashed twice here already, and strace shows some interesting
stuff like `unlink(<complete garbage>)' sometimes).  But it wtitten
far more carefully, by people who knows *what* them are doing.
Those bugs should and will be fixes (I already posted all my
results to sald, got *great* attention from them -- again,
unlike kaspersky's ignorance).  People at sald knows that them
have little expirience on unix, and tries to learn (including
their own expirience with online version of their antivirus
(available via www) that is a constant target of great amount
of DOS attacks and the like, including 42.zip bombs etc).

Engine itself is almost of the same quality (read: it detects
almost the same viruses as e.g. avp) -- I don't know significant
differences here.  According to their stats, AVP knows far more
viruses than DrWeb (40.000 vs 20.000 approx), but this is due
to how viruses are counted -- AVP counts every virus modification,
while DrWeb counts every virus "type".  For example, CodeRed
counter at least 4 times in AVP and only once in DrWeb bases.
I checked many different recent viruses by both, and both detects
them nicely.  Them names the same viruses a bit differently,
but that's not an issue (for example, DrWeb - Win95.Matrix.something,
AVP - I.Worm.MTXsomething).

Both DrWeb and AVP bases updates at least daily (in fact, DrWeb
`drwtoday.zip' updates every several hours, at least 3-4 times
per day), and both releases "cumulative" updates every week or
so.  So both are very "current" at any given time.

DrWeb has some anti-DoS controls from the day one (only simple
controls, like timeout for one file, or max compression ratio).
Them are implemented in a somewhat strange manner (e.g. timeout
implementing by querying a system time before/after every single
step and comparing result with max completion time, instead of
just setting an alarm -- thus it issues *tons* of time() syscalls.
Funny that folks seems just not knows about alarm() -- I pointed
this out, and them agreed and thanked me.  Them learns).  That to
say that them aren't "lazy" to insert "timeout checks" in every
place just to have some basic DoS prevention! ;)

DrWeb seems to be somewhat faster than AVP, but I'm not shure --
I didn't compared them with each other.  Some years ago DrWeb
(msdos version) was *very* slow, esp. with it's heuristic analysis,
but now things improved greatly.  At least current DrWeb runs faster
on our linux i486DX4/100 machine than very old msdos version on
the same machine (and new one detects *far* more viruses, obviously)... ;)

The bad news about DrWeb is it's update "mechanism", and versioning
scheme.  There is no normal ftp access to DrWeb site yet, and
usual tools (ftp, wget etc) can't be used to fetch updates: one
need to download one well-known file with listing of changes,
then parse that file and download virus bases and the like.
I don't know about why them made all this crap, but hope them
will allow normal ftp access (I suggested to set up rsync, but
it seems them have very complex "release system", and have
troubles setting that all together...).

But most bad thing here is that once new software version out,
updates will be published for that new version only -- old
version will be unsupported.  Or, in the other words, -- their
antivirus base updates *includes* executables too.  Win-based
version is able to fetch executable files automatically, so
this is transparent (except of traffic and download time ;).

As a summary.  There are at least two points comparing different
antivirus products: "virus detection ability", i.e. how many
viruses it catches (or, strictly speaking, what persentage of
known "current" viruses it catches -- at the end, one can write
*many* viruses and include detection/curing of them in own
antivirus ;), and quality/usability of supporting "shell" tool(s).
Engines are very similar; while support tools of DrWeb are far
more accurate.  DrWeb needs some bugfixes, while AVP needs a global
review.  And DrWeb is more "unix friendly" at the end, -- it has
less options that are more logical at least than of Avp, and one
*knows* looking into short docs how to execute DrWeb tools (I
spent a great amount of time trying to figure out what every
kavdaemon option means and how it interacts with other options).

My impression about DrWeb is very good for now -- let's see how
it will change with time... ;)

Regards,
 Michael.