VB100 - December 2009 - Windows 7
Filseclab Twister Anti-TrojanVirus 188.8.131.52.85
Filseclab’s product has a slow installation process and requires a reboot to complete. The interface is pleasantly designed and simply laid out (although the configuration screen is rather cluttered with a wealth of options described in less than helpful language). It seemed splendidly stable and responsive throughout testing. On-demand scanning proved fairly slow and showed no sign of speeding up once familiar with files, while the on-access protection did not appear to fully intercept file accesses, merely logging detections after allowing them to be accessed. As a result, the on-access speed measurements may appear faster than they ought.
Detection rates were generally fairly good, with solid scores in the trojans set and decent levels across the RAP sets despite a steady decline as the samples grew fresher. In the WildList set a number of items were not detected, including fair numbers of the W32/Virut strain – a failing that was also seen in the other polymorphic strains in the detection sets. In the clean sets a small number of false positives were noted, with some components of the popular freeware image manipulation solution The Gimp misidentified rather vaguely as ‘Trojan.Obfuscated’ – clearly a very generic detection algorithm applied slightly too severely in this case. Between them these issues are enough to deny Twister a VB100 award once again, despite continuing signs of improvement.
ItW (o/a): 98%
Worms & bots: 96%
False positives: 2
VB100 October 2009 - Windows Server 2008 Standard Edition SP2 x86
Filseclab Twister AntiVirus 184.108.40.20671
Filseclab bravely returns for another run in the VB100, having shown gradual improvements over its first few attempts. The install process remains simple and very speedy, although it does require a reboot to complete. The main interface is quite appealing, and a decent degree of configuration is tucked away underneath, albeit in slightly less stylish settings. The product also includes a range of other features beyond standard anti-malware, including a HIPS set-up, which is really its main strength, and also a ‘Fix Windows’ area which tweaks and adjusts a number of settings, putting the system into a safer state either after an infection or simply on spotting some of the notoriously insecure defaults in most Windows versions.
On-demand scanning speeds were fairly modest, and on-access protection is implemented in a rather unconventional manner, with no instant blocking of files but alerts, actions and log entries appearing soon after an infected file is accessed. This makes our standard on-access speed measurement somewhat unreliable, but as some slowdown was observed despite the lack of file access interception we opted to record it out of interest. Detection rates still lag behind somewhat, but seem to be improving, with only a single false alert generated in the much-expanded clean set. In the WildList, a fair number of recent items were not properly handled, with fairly large swathes of both Virut strains missed too, and Filseclab will have to keep working its way towards a VB100 award.
ItW (o/a): 95.54%
Worms & bots: 85.29%
False positives: 1
VB100 August 2009 - on Windows Vista Business Edition SP2 x32
Filseclab Twister AntiTrojanVirus 220.127.116.1171
The somewhat oddly named Filseclab’s somewhat oddly named Twister AntiTrojanVirus makes its second appearance in the VB100, having impressed last time around with its slick presentation and stable operation if not with its detection rates. This time once again the install process was fast and smooth, although the UAC system presented some serious warnings about unknown and untrusted publishers. The main interface is clear and lucid, with a user-friendly and attractive design.
Once again the on-demand mode proved fast and stable, while the on-access mode presented something which we would later find to be a recurring issue in this test: the inability to block access to infected files. Twister is designed primarily as a behavioural and HIPS product, intended to monitor executing programs for malicious behaviour, with the standard anti-virus-style file access hooking added later than much of the product. In this case the on-access detection seems only to log attempts to access files, doing nothing to prevent them from being accessed. The logging proved reliable however, and speeds were decent in both modes, although as the on-access module was not actually preventing access, the speed measurement may not be strictly comparable with other products. Detection rates were also fairly decent, at least in the less recent items in the standard sets, although handling of polymorphic viruses was less than impressive. In the RAP sets detection rates were somewhat below par but at least even and regular. The WildList was not fully covered, with fairly minimal coverage of the Virut variant included there, and in the clean sets a number of false positives turned up, denying Filseclab a VB100 award this time, but still looking a promising prospect.
ItW (o/a): 91.45%
Worms & bots: 84.02%
False positives: 38
VB100 April 2009 - Windows XP SP3
Filseclab Twister AntiVirus 18.104.22.16871
The first of the newcomers in this month’s test, Filseclab’s Twister has picked up a bit of a reputation as a strong up-and-comer on various web forums and discussion boards, and has put in some excellent performances in independent tests run in China. An initial trial version we looked at impressed us with simplicity, stability and better than expected scanning performance, and a later version submitted for the test showed even more promise. With a slick and professional-looking installation process and a clear, attractive and well laid-out interface, the product certainly looks the business and has a very good level of fine-tuning available, as well as a behavioural monitoring system that is given as much importance as the more traditional detection in the layout of the interface.
Running through the tests proved a little less straightforward than hoped thanks to some slightly unusual behaviour: on-access scanning, while triggered on read, seemed not to block access instantly, instead waiting a little before alerting on and taking action against detected items. This meant that our standard opener tool, which logs items it cannot access, recorded having successfully opened everything. Thus, detection data could only be gathered from the product’s own logs and the on-access scanning speeds, recorded in the same manner, may not quite reflect the full picture.
Detection rates were not unreasonable, particularly for a product that is entirely new to our testing system and test sets. Fairly good scores were achieved in some of the standard sets, including a surprisingly excellent handling of W32/Virut samples in the polymorphic set, with a little less coverage of older polymorphic items, and a fairly decent showing in the trojan and RAP sets. Several items in the WildList set were not covered, most of which were from the latest batch of additions, and a sprinkling of false alarms were raised in the clean sets (no big surprise on the product’s first look at their diverse content), so Twister does not qualify for a VB100 award on its first attempt, but it looks like being a strong contender in the very near future.
ItW (o/a): 86.85%
Worms & bots: 83.44%
False positives: 21