VCM1: AVP/KAV: What version to use?
by VirusBuster
…ÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕª
∫ AntiViral Toolkit Pro by Eugene Kaspersky for DOS32 ∫
∫ Copyright(C) Kaspersky Lab. 1998-2000 ∫
∫ Version 3.0 build 133 ∫
∫ ∫
»ÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕº
How many times above lines have scrolled in virus collectors monitors?
At least on mine hundreds of times, probably thousands.
AVPDOS32 3.0 build 133 was for many years, along with F-Prot, the most popular antivirus used for virus trading.
Many years ago Dr. Solomon and F-Prot used to be the most popular avs to exchange viruses. After a time Dr. Solomon started to remove unique IDs and add more and more generic detections, so it was time for a change. That is why AVP became so popular among collectors: AVP was able to detect a large list of viruses in a unique way, without generic detections.
AVPDOS32 became after a time the most used antivirus between collectors while F-Prot started to lose popularity and this has been that way for many time. AVPDOS32 the unquestionable king of log files.
AVPDOS32 have had its pros and contras. I would point as pros:
- With the time became freeware.
- Antivirus databases updates are for free.
- All virus collectors used to use it to make logs.
- Frequent updates: weekly and daily updates.
and as contras:
- Support was discontinued.
- "Midnight" bug which produces I/O errors while scanning certain files if scanning is done between 00:00 and 00:59 AM.
- Slow scanning speed.
- Depending of the command line you get different scanning results.
- No automatic updating.
After january 2004 cumulative the situation has changed: if AVP was slow now its terribly slow. Per example my collection used to need 3 hours to be scanned with AVPDOS32 and actually it needs over 11 hours. That is too much for anyone.
So I consider that is time for a change but not of antivirus as occurred with Dr. Solomon, just of version.
Some collectors are actually using KAVDOS32 3.0 build 135 or KAVDOS32 4.0 to make logs. They switched from AVPDOS32 3.0 build 133 to any of these versions. Why? I really do not know because those versions are still really slow compared to KAV 4.5.
Kaspersky Antivirus 4.5 is the solution to speed problems. It needs around 48 minutes to scan my collection. That is a third part of the time that AVPDOS32 used to need when it was working fine.
What are the main problems someone could find if he decides to change of antivirus version? (AVPDOS32/KAVDOS32 -> KAV 4.5)
First, the tools he uses must be adapted to use KAV logs. The most used set of virus trading tools is VS2000 package which is already prepared to manage KAV logs. So I recommend to use VS2000 package tools.
Second, he must know how to configure and use KAV.
Configuration of KAV:
- Run AVP32.EXE
- Click "Expert" button from left menu.
- Click "Options" button from left menu.
- In "Options" you select:
- Save report file -> Enabled
- Define where to store the log and with what name
- Show pack info, Show clean object, Append and Limit size -> Disabled
- Select your preferences from "Customize" menu from left menu.
- Go to "File" menu and select "Save Profile as Default".
Using KAV:
KAV can be used from command line or from the GUI.
From command line the user must use:
AVP32 /S /W /Q C:\DIRECTORY_TO_SCAN
or:
AVP32 /S /W /Q /redundant C:\DIRECTORY_TO_SCAN
to use redundant scanning.
From GUI the user must select what directory to scan.
It is not possible to use redundant scanning from GUI.
From command line is not possible to define where the log will be saved.
If you want to run KAV from a batch file you must use "START /W".
Example:
C:
CD \ANTIVIRUS\KAV
START /W AVP32.EXE /S /W /Q C:\VIRUS
CD \ANTIVIRUS\F-PROT
F-PROT /DUMB /ARCHIVE /PACKED /NOMEM /COLLECT /REPORT=F-PROT.LOG C:\VIRUS
...
If you do not use "START /W" the batch file will continue running lines.
Third, and finishing problems issue, different identifications question.
There is also other problem common to all AVP/KAV versions. Depending of the version and command line you use AVP will identify a virus with a name or other or it will not identify it at all.
That explains why even using same databases you can miss stuff from logs of other collectors but when you get that stuff it does not scan as new.
In order to know exactly all the stuff AVPDOS32/KAVDOS32/KAV are able to detect in a collection would be necessary to make at least 6 logs:
- AVPDOS32 3.0 build 133 without redundant scanning:
- AVPDOS32 /S /Y /* /M /B /P /H /W=AVP.LOG C:\PATH
- AVPDOS32 3.0 build 133 with redundant scanning:
- AVPDOS32 /S /Y /* /M /B /P /H /V /U /W=AVP.LOG C:\PATH
- KAVDOS32 4.0 without redundant scanning:
- KAVDOS32 /S /Y /* /M /B /P /H /W=AVP.LOG C:\PATH
- KAVDOS32 4.0 with redundant scanning:
- KAVDOS32 /S /Y /* /M /B /P /H /V /U /W=AVP.LOG C:\PATH
- KAV 4.5 without redundant scanning:
- AVP32.EXE /S /W /Q C:\PATH
- KAV 4.5 with redundant scanning:
- AVP32.EXE /S /W /Q /redundant C:\PATH
Here you can see a comparative of results using different versions of AVP/KAV done by Germano:
Comparation of Kaspersky's AVX
Total of 84229 vx, with special bases
Recognized (using VS2000 tool)
Version Total Time on PIII 500 Mhz
AVP 3.0 build 133 (dos) 40611 scan time 11:38:06
KAV 3.0 build 135 (dos) 40547 scan time 07:24:04
KAV 4.0 (dos) 40638 scan time 09:04:08
KAV 4.5 (windows) 40468 scan time 01:13:29
Comparation Log by Log
AVP 3.0 vs KAV 3.0
AVP 3.0: missing names 8 (0 of these CRC32 are dupes)
KAV 3.0: missing names 72 (72 of these CRC32 are dupes)
Total of unrecognized files:
AVP 3.0 = 8
KAV 3.0 = 0
AVP 3.0 vs KAV 4.0
AVP 3.0: missing names 90 (82 of these CRC32 are dupes)
KAV 4.0: missing names 63 (63 of these CRC32 are dupes)
Total of unrecognized files:
AVP 3.0 = 8
KAV 4.0 = 0
AVP 3.0 vs KAV 4.5 windows
AVP 3.0: missing names 50 (41 of these CRC32 are dupes)
KAV 4.5 windows: missing names 193 (83 of these CRC32 are dupes)
Total of unrecognized files:
AVP 3.0 = 9
KAV 4.5 windows = 110
KAV 3.0 vs KAV 4.0
KAV 3.0: missing names 91 (91 of these CRC32 are dupes)
KAV 4.0: missing names 0 (0 of these CRC32 are dupes)
Total of unrecognized files:
KAV 3.0 = 0
KAV 4.0 = 0
KAV 3.0 vs KAV 4.5 windows
KAV 3.0: missing names 45 (44 of these CRC32 are dupes)
KAV 4.5 windows: missing names 124 (14 of these CRC32 are dupes)
Total of unrecognized files:
KAV 3.0 = 1
KAV 4.5 windows = 110
KAV 4.0 vs KAV 4.5 windows
KAV 4.0: missing names 42 (41 of these CRC32 are dupes)
KAV 4.5 windows: missing names 212 (102 of these CRC32 are dupes)
Total of unrecognized files:
KAV 4.0 = 1
KAV 4.5 windows = 110
Obviously making 6 logs every week is a crazyness, so my suggestion is: when a new cumulative update is out you make a log with KAV 4.5 without redundant scanning then you make the other 5 logs and you create a log with all the stuff missed by KAV 4.5 log so until next cumulative is out you add manually the missed viruses adding them apart:
VS2000 -B AVP.LOG -A MISSED.LOG
That way you will not miss viruses that only are detected by different versions of AVP.
Here you can see the pros and the contras from KAV in my opinion:
Pros:
- Technical support is available.
- Antivirus databases updates are for free.
- It becomes to be the standard log to use in trades.
- Frequent updates: weekly and daily updates.
- Fast scanning.
- Automatic updates.
Contras:
- It is not freeware.
- Depending of the command line you get different scanning results.
- It is not possible to define where to store the log in real time.
As you can see it has more pros than contras compared to AVPDOS/KAVDOS32 so it is time to make it the standard... the unquestionable king of trades.
Updating KAV bases is a child game. You just need to run AVPUPD.EXE.
If you plan to use AVPDOS32 and/or KAVDOS32 there is an easy way to update all versions at a time.
Imagine you have KAV at C:\ANTIVIR\KAV, AVPDOS32 3.0 build 133 at C:\ANTIVIR\AVPDOS32 and KAVDOS32 4.0 at C:\ANTIVIR\KAVDOS32. If you have one directory with bases for each version means you must have 3 times the same files and update 3 times the 3 antivirus versions.
This is not necessary at all. You can have KAV 4.5 databases installed and modify AVPDOS32/KAVDOS32 AVPDOS32.INI in order to point "BasePath" section to where KAV 4.5 bases are installed.
Example of AVPDOS32.INI:
[AVP32]
DefaultProfile=
LocFile=AVP_LOCe.DLk
[Configuration]
KeyFile=AVP.KEY
KeysPath=.
SetFile=AVP.SET
BasePath=C:\PROGRA~1\COMMON~1\KAVSHA~1\BASES
So when you run AVPUPD KAV 4.5 bases get updated but also DOS32 versions are updated too.
KAV also has other advantage and it is the easy retrieving of X-Files databases. You only have to launch the Updater and check "Change settings", then open "Update AVP from Internet" tree, click in the "..." button, and add an URL like this one: "ftp://ftp.kaspersky.com/updates_x/" finally just move the URL you just added to the first place of the list clicking in the up arrow.
For all the above reasons I suggest you switch to KAV 4.5 to make logs.