[Avcheck] Re: drweb question

Michael Tokarev mjt@tls.msk.ru
Sat, 29 Mar 2003 14:11:11 +0300 

Robert Carr wrote:
> Hi Michael,

Hello, Robert!

[]
> DrWeb seems to support OpenBSD (and qmail) now. 
> There's an OpenBSD tgz on their ftp site, even though
> the web-page makes no mention of being able to
> download or purchase their product for OpenBSD. 
> Curiously, the OpenBSD tgz on their ftp site contains
> no script or app for updating the virus definitions.

I've no knowlege in this area.  However, their support
is - reportedly - is very responsible, so you may ask
them directly about OpenBSD.

> I've read several posts in which you state your
> preference for DrWeb over KAV.  Why do you like DrWeb
> over KAV (aside from the fact that KAV programmers are
> sloppy and have ignored suggestions for improvements).
>  Is DrWeb as good at detecting viruses?  Are there an
> equal amount of virus definitions for DrWeb and KAV?

Comparing them in detection area is umm...  All nowadays
antivirus products are almost equal here.  Difference is
usually in a time - _when_ updates containing new virus
definitions are released.  From my two years old expirience,
I never seen a virus that wasn't detectable by drweb, but
I seen two or 3 undetectable by KAV.  That was at KAV-3.0
times, when I used it last time.  Concerning "equal amount" -
that's funny story: drweb claims it has 20000 virus signatures,
while KAV folks says they have 70000 (numbers are approx.,
just to show the difference).  This is solely because of
_how_ both counts their viruses: drweb count a virus *family*
as a single unit, and usually it may detect several variants
in the same family without even updating virus bases, while
KAV count every single virus variant.  Also, KAV has definitions
for several "questionable" "viruses" - like a key generator
for KAV, while drweb folks - to my knowlege - never do that.
Look at virus bulletin results - _all_ comparisions in last
years resulted in drweb VB100% awards (they use _the same_
engine - not similar but _the same_ - drweb32.dll plus their
*.vdb files - on all platforms, you may see that yourself by
downloading any version).  Another aspect is accuracy.  Just
one example: at Klez times, I posted several times an example
of regex for postfix that will block klez.  And every time I
post it to a mailinglist, I got several "infected mail" replies
from sites running KAV - _only_ KAV, not e.g. RAV, HB+DEV or
any other antivirus.  "You email is infected by IFrame.download" -
yeah, right, sure it is, as one-line regex in the body of
text/plain email!.. ;)

There are other aspects too.  I was NEVER able to crash drweb,
regardless of all my attempts to push it really hard - by sending
reloads when it worked, by killing workers (to see what will
be returned to client), by sending it variuos 42.zip bombs all
at once, corrupted .docs and .zips etc.  Well... this is not
accurate: some beta - before first unix release - was crasheable... ;)
While KAV crashed several just by it's own.

Generally, Kaspersky folks are marketers, while drweb folks are
programmers.

So, basically, here we go.  I must admit I didn't looked at KAV
for quite a long time: maybe something has changed since.

> Anyway, since I only have experience with Kaspersky's
> KAV, I wondered what your opinions, experience,
> complaints were with DrWeb, H+BEDV and RAV (all of
> which appear to support qmail and OpenBSD).  

I can't comment on other av products - just because I don't
know.  When I needed an antivirus for unix, quite a few variants
was available, and only two of them had real daemon mode -
KAV and DrWeb.  Nowadays, much more products are available,
and new ones coming all the way.  But I'm so happy DrWeb user,
I never needed anything other since I installed it here, it
just works, - so I never bothered looking at anything else.
BTW, does Viextra available for OpenBSD?  Some folks saying
good words about it too, but I never saw it.

Ok.  You may just take a look at - I hope - all of them (except
of KAV for sure - their demo version will not work for email).
Take a look at how qmail support is implemented - how clean and
reliable it is, that is.  Whenever an antivirus installed to
run as root and to listen for the network.  How updates are
released... oh... that's endless list, I know... ;)

Good luck.

/mjt