Jump to content
Seth

SAS comparison to other products.

Recommended Posts

Hello,

As a computer technician, I purge systems of various types of malware on a daily basis.

For about the last month, I've been testing SAS's malware detection and removal abilities and have been thoroughly impressed.

The following are results from a comparison I conducted on a heavily infected system. None of the scanners were allowed to remove any infections:

SCANNER________ADWARE/SPYWARE___TROJANS/BACKDOORS/DIALERS/ETC___TOTAL

Spybot________________11________________________0___________________11

AVG___________________0________________________12_ _________________12

Ad-Aware______________21________________________6____ _______________27

Norton 2005____________11_______________________17_______ ____________28

SpySweeper____________20_______________________13_ __________________33

NOD32_________________17_______________________22_ _________________39

BitDefender_____________21_______________________2 3__________________44

SuperAntiSpyware_______25________________________1 9__________________44

A-Squared______________23_______________________22__ __plus 1 rootkit____46

Kaspersky______________16_______________________34 ___________________50

Ewido__________________22_______________________33 ____plus 1 rootkit____56

Suggestions:

The term "SUPER" in SuperAntiSpyware, sounds very cheesy and reminds me of a rogue product. Also, the name doesn't mention that SAS is very good at detecting trojans, keyloggers, downloaders, and other such types of malware.

Anyway, thanks for a wonderful product. SAS has top rate detection, a simple and straight forward user interface, excellent real time protection, and very useful utilities. I'll be purchasing and recommending the professional version.

Share this post


Link to post
Share on other sites

I agree with your testing results. I too, am a tech and I generally use SAS along with Kaspersky AV and between the two I am able to nail just about everything out there. I use a BartPE CD on the infected drive and am in the process of building a small heavy duty "super box" with tons of RAM, a very large HD, and a quick mobo and processor to be used as a "diagnostic test box" for my work. I always try to get the user to purchase SAS after their PC has been cleaned and explain the benefits.

The term "SUPER" in SuperAntiSpyware, sounds very cheesy

Since I try to stay in tune with the rogue anti-spyware programs out there, I too had trouble with the name at first, but with time it has proven itself over and over. :)

Share this post


Link to post
Share on other sites
I agree with your testing results. I too, am a tech and I generally use SAS along with Kaspersky AV and between the two I am able to nail just about everything out there. I use a BartPE CD on the infected drive and am in the process of building a small heavy duty "super box" with tons of RAM, a very large HD, and a quick mobo and processor to be used as a "diagnostic test box" for my work. I always try to get the user to purchase SAS after their PC has been cleaned and explain the benefits.

I have tried using SUPERAntiSpyware to disinfect a slaved drive and can confirm that the steps SUPERAntiSpyware uses to prevent false positives also prevent the detection of about 75% of the malware it detects under normal circumstances . The idea of a shop version that imports a slaved drives registry to work with the scanning of a slaved drive has been proposed already .

The box by itself is an awesome idea . I built one for my work and could not live without it . Make sure to add a raid card to attach external ide cables and a high powered PSU . The way I have mine set up allows me to work on 8 ATA , 2 notebook and 4 SATA drives at once . A multicore processor is also a must . Currently the best applications to scan a slaved drive are PestPatrol , CounterSpy , ZeroSpyware , Kaspersky and AntiVir . They don't seem to care where the malware is located . The load hive function of regedit will allow you to edit a slaved drives registry . This can be a life saver if a non-malware problem prevents normal booting . There is also a way to build a new registry from a system restore point . This is easy to do when you slave the problem hard drive to an XP PRO system .

If you have any questions about my work machine let me know .

Share this post


Link to post
Share on other sites

Thank you for the replies.

I have tried using SUPERAntiSpyware to disinfect a slaved drive and can confirm that the steps SUPERAntiSpyware uses to prevent false positives also prevent the detection of about 75% of the malware it detects under normal circumstances .

This is interesting. Can you elaborate or provide further details please?

Share this post


Link to post
Share on other sites
Thank you for the replies.
I have tried using SUPERAntiSpyware to disinfect a slaved drive and can confirm that the steps SUPERAntiSpyware uses to prevent false positives also prevent the detection of about 75% of the malware it detects under normal circumstances .

This is interesting. Can you elaborate or provide further details please?

If I take the hard drive out of an infected machine and scan it as a slaved drive SAS does not find much . If I put the drive back into its home system and scan it again many more malware threats are discovered (and not just the registry remnants) .

You can ask SUPERAntiSpy for the technical details but the way he explained it to me made it sound like the scan engine is designed to produce very few false positives and as a result the malware on a second drive is sometimes missed . He also mentioned a new shop version of SAS specifically designed to remove malware from a slaved drive may be in the works . It would be the first of its kind I believe .

I ran into this problem a while back and made the mistake of thinking that SAS sucked because of its slaved scan results . I was proven wrong shortly afterwords when I tried it on a live system .

Share this post


Link to post
Share on other sites
If I take the hard drive out of an infected machine and scan it as a slaved drive SAS does not find much . If I put the drive back into its home system and scan it again many more malware threats are discovered (and not just the registry remnants) .

I've never scanned a slave with SAS, but I guess I just can't see why it would be poor at detecting malware on a slave.

Of course the main difference is that the master drive is live and the slave has no running processes. But this shouldn't make any significant difference in a scanners detection ability.

However, I will definitely try and reproduce your results at the next opportunity.

Share this post


Link to post
Share on other sites

Thanks for the advice on the creation of a SUPERBOX, nosirrah. :D

As I said in an earlier post, I've been using BartPE for remote scanning and have had great success. I use RunScanner to scan the remote registry. Your comments regarding using SAS remotely is interesting.

If I take the hard drive out of an infected machine and scan it as a slaved drive SAS does not find much . If I put the drive back into its home system and scan it again many more malware threats are discovered (and not just the registry remnants).

It's interesting because you have the choice of what drive you want to scan. Of course you don't have that luxury with the registry, so that's why I use RunScanner to redirect the default registry scan from the BartPE CD to the infected HD. It has worked well for me this way. I have also used Kaspersky and Spy Sweeper with great results. One thing I'll admit though, I've never rescanned the HD again after scanning it from the BartPE CD from RAM. I'll have to try this approach next time to see what is found by the anti-malware utilities by them running directly from the HD after the RAM drive scan. :)

Share this post


Link to post
Share on other sites

I anyone has any questions about why the slave scan is not effective with SAS go ahead and ask SUPERAntiSpy . He is the one that explained it to me when I discovered that SAS did very poorly when I tested it this way .

I started slave scanning in direct response to the rootkit outbreak and because I was tiered of being limited to a customers crummy hardware to fix their system .

This also lets you clone an old 5400 rpm drive onto a raptor , disinfect it and then clone it back .

Share this post


Link to post
Share on other sites
I agree with your testing results. I too, am a tech and I generally use SAS along with Kaspersky AV and between the two I am able to nail just about everything out there. I use a BartPE CD on the infected drive and am in the process of building a small heavy duty "super box" with tons of RAM, a very large HD, and a quick mobo and processor to be used as a "diagnostic test box" for my work. I always try to get the user to purchase SAS after their PC has been cleaned and explain the benefits.

I have tried using SUPERAntiSpyware to disinfect a slaved drive and can confirm that the steps SUPERAntiSpyware uses to prevent false positives also prevent the detection of about 75% of the malware it detects under normal circumstances . The idea of a shop version that imports a slaved drives registry to work with the scanning of a slaved drive has been proposed already .

The box by itself is an awesome idea . I built one for my work and could not live without it . Make sure to add a raid card to attach external ide cables and a high powered PSU . The way I have mine set up allows me to work on 8 ATA , 2 notebook and 4 SATA drives at once . A multicore processor is also a must . Currently the best applications to scan a slaved drive are PestPatrol , CounterSpy , ZeroSpyware , Kaspersky and AntiVir . They don't seem to care where the malware is located . The load hive function of regedit will allow you to edit a slaved drives registry . This can be a life saver if a non-malware problem prevents normal booting . There is also a way to build a new registry from a system restore point . This is easy to do when you slave the problem hard drive to an XP PRO system .

If you have any questions about my work machine let me know .

99.99% of the infections that our real-world users are going after are live infections on their primary box/harddisk. We did not design SUPERAntiSpyware to scan slave drives, mount slave registries, etc. although we may provide that ability in a future version.

The items we will be "non-effective' with on a slave box will be mostly registry items as any of the file items that are detected by our regular definitions/signatures will be detected on the slave drive as well, those are non-path dependent.

Share this post


Link to post
Share on other sites
The term "SUPER" in SuperAntiSpyware, sounds very cheesy and reminds me of a rogue product. Also, the name doesn't mention that SAS is very good at detecting trojans, keyloggers, downloaders, and other such types of malware.

Thanks for the compliments and test posting - that's the typical results we see in real-world live infection detections and removals.

The "SUPER" name is part of our brand - we have SUPERAntiSpyware, SUPERAdBlocker, SUPERFileRecover and soon other "SUPER" products - the "SUPER" is part of building a brand and product recognition.

We do include text on all of our sites and literature regarding the fact that SUPERAntiSpyware will detect and remove Spyware, Adware, Malware, Trojans, Keyloggers, Dialers, Downloaders, etc.

Share this post


Link to post
Share on other sites

I just tested Spy Sweeper and SAS from a CD and from the HD. I infected the HD with several types of malware in particular Vundo and SmitFraud. With the exception of a few registry entries found (and some cookies) from running the utilities from the HD and not from the CD, the files and folders are the same.

Share this post


Link to post
Share on other sites

"The "SUPER" name is part of our brand - we have SUPERAntiSpyware, SUPERAdBlocker, SUPERFileRecover and soon other "SUPER" products - the "SUPER" is part of building a brand and product recognition. "

How about combining into a single product?

Share this post


Link to post
Share on other sites
"The "SUPER" name is part of our brand - we have SUPERAntiSpyware, SUPERAdBlocker, SUPERFileRecover and soon other "SUPER" products - the "SUPER" is part of building a brand and product recognition. "

How about combining into a single product?

We are keeping them as separate products as most users are not fans of the bloated "suites" of software.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×