Dr. Web Security Space 11 - a Review

Discussion in 'Reviews and Tests' started by Der.Reisende, Dec 27, 2016.

  1. Der.Reisende

    Der.Reisende Malware Tester Silver Member

    Dear reader, welcome to my Dr. Web Security Space 11. I hope you brought some time, as this one will go into detail. For the ease of use, I have added comments directly onto screenshots too, if needed.
    Enjoy!

    =================================================================================

    Official website:
    https://www.drweb.com/?lng=en (multilingual)
    Status: Stable
    Name of Software/Product: Dr. Web Security Space 11
    ===================================================================================
    Act I: Technical overview

    Advantages:
    + System impact is low
    + constantly improving behaviour blocker (especially Ransomware protection)
    + Userfriendly GUI
    + highly customizable with it’s 6 autonomous working protection modules
    + autoupdates every 1/2 hour
    + multilingual
    + low priced, with some bonuses for customers
    + Anti-data loss feature (can help in case of ransomware attack, exclusively in Security Space)
    + Aggressive PUP/PUA detection (!)
    + Covers almost all OSes, including Linux and MacOS, Android
    + Some weaknesses (Ransomware, long time to detect Ransomware) have been fixed pretty fast during the test period
    + signatures for known malware (like GoldenEye ransomware) are created super fast to my experience

    Disadvantages:
    - weak against new ransomware threats (but see above!)
    - lacks webcam protection
    - will autoquarantine harmless and well-known PUP/PUA-equipped freeware, like Auslogics Disk Defrag

    Bottom Line:
    In the following review, I will try to provide an unbiased review of above mentioned, paid Antivirus solution, I’ve been using for about a month now. Please take my review with a grain of salt, other users might not come across the issues I had or weight Pro’s and Con’s other than I do. My review will focus on the ease of use of the product and the test against 0-day samples. I will pick up certain examples to show weaknesses, and improvements I noticed after submission of undetected samples. In any case, make sure to activate Dr. Web's
    "Data Loss Prevention" to be prepared to bad surprises, AND do some external backup, not connected to your machine permanently!

    Protection: 3.7 / 5 ✪
    Usability: 5 / 5 ✪
    User Interface: 5 / 5 ✪
    CPU/RAM/Storage: Low Usage
    Performance: Low Impact
    Overall Rating: Very Good - 4.6/ 5 ✪

    Act II: Technical overview - Let's get in detail

    Homepage
    Landing page offers both services for Home and for Business users, including renewal of your license or a free 30-days trial without registration or a 3-month one, which requires your e-mail address.

    I might point out some parts I find most interesting:

    https://vms.drweb.com/sendvirus/?lng=en - Here you can submit files, either a link to it or the (zipped) file. Provide the password in the box below if encrypted.

    If you provide mail and or serial, they will send you both a notification of receipt as well as the results of analysis. The dropdown menu provided will let you choose the suspect of the file, like harmless, undetected virus, suspicious...

    They also offer a (for registered users obviously free) decryption service here:
    https://support.drweb.com/new/free_unlocker/for_decode/?lng=en

    Note that they clearly state that most encryption can’t be broken however:
    https://antifraud.drweb.com/encryption_trojs/?lng=en

    If you’re interested in the current malware processing stats, pay a visit here:
    http://live.drweb.com/

    Processing submitted files
    The time between submission and SUD report cannot be clearly stated, I experienced between 20 minutes (Cerber being autoprocessed by machine, ticket autoresolved) to one week (I sent a pack of 5 different files). According to their SUD success window, they apply „Hot add-ons [...] as soon as a new threat has been analyzed“. I was not really sure how to understand that, however I’ll point something out related to that lateron.

    Resource Usage
    Quite acceptable to my experience, while writing these lines and with Google Chrome running and 3 tabs open not really noticeable, paranoid preset ~127 MB RAM.
    resource1.JPG resource2.JPG

    GUI / Components

    I will do that in parts, just like the Suite is build up.

    Let’s start with the context menu, opening up as you click on the Dr. Web icon in the Task bar.
    context.JPG

    Note the lock icon, which requires a UAC confirmation to unlock the „Tools“ and „Protection components“ options above.

    The three icons next to the green circle will appear:

    Number one will give you detailed statistics on what has happened on your system.
    Number two opens up a highly branched options menu.
    Number three opens up help options.

    Let's move on to My Dr. Web option.
    My_DrWeb_1.JPG

    It will open a clean designed webpage in your system language (it’s again multilingual, 8 languages available).

    You can login to your account, contact support, buy or renew licenses,...

    Note the VirusTotal like option, which will give you a rating for either a file or a URL mid the page. You can also search for a specific detection. I noticed that some detection descriptions are only available in Russian language (use the language button top right).
    My_DrWeb_2.JPG

    Before we move on to our next topic, some words on the License manager.

    With this, you can edit or remove your current subscription, get information what you’ve registered, to whom and for how long the subscription is still good. It also shows the date of activation.

    Hot tip: Register for a free 3-months license here, and if you decide to buy a license, click on „Buy or activate new license“. This will get you trough a process to enter a new license.

    Note that it will ask you for a former license of Dr. Web, granting you 150 day on top as bonus! This works with the 3-months license too, plus you get the leftover days from your free 3-months license on top!
    tools_license_manager.JPG

    Next on the list: The Tools section.

    Let’s start with some vital tool included in Dr. Web Security Space, the „Data loss prevention“ tool.

    Make sure to activate this one on installation, and click on „Choose files and folders for protection“.

    Click on the + and choose folders / files you want to have backupped by the tool. It will do it both on manual action (by clicking „Create copy...“) as well regularly automatically. I backupped only some documents and a small archive, it took only seconds to back up and to „Restore...“.
    tools_data_loss_prevention_1.JPG tools_data_loss_prevention_1_1.JPG
    Read more @ https://products.drweb.com/services/backup/?lng=en

    Some look on the Anti-Virus Network tool:
    tools_AV_network.JPG

    Let’s have a short talk on the Quarantine module...
    tools_quarantine.JPG
    ...and finish with the Support option.
    tools_support_1.JPG tools_support_1_1.JPG tools_support_1_2.JPG

    Almost forgotten, however highly recommended to perform regularly, is a scan of the computer. Dr. Web Security Space has three presets to offer: Express (typical infection areas), Full (every item on the PC) and Custom (choose the areas to be scanned on your own). Note that you can highly customize the scans within the Protection components, to be discussed subsequently.
    scan.JPG

    Let’s move on to the more interesting part, the „Protection components“ in detail.

    A click on the Dr. Web icon in the Task bar will open the well known context menu, showing entry „„Protection components“ as 4th entry. Note that you can (de-)activate single settings only if you „unlock“ clicking on the lock icon.

    There are 6 protection modules in total, as there are:

    SpIDer Guard, kinda the real time protection using both cloud and local signatures.

    Removal of found threats is super fast, both in context scan and realtime protection.

    You can alter the scan options in the Settings - Protection Components - SpIDer Guard section to your needs, including scan of removable media and the block of autorun of external media (both highly recommended).
    PC_Guard1.JPG PC_Guard1_1.JPG

    Regarding the action depending on the threat, you can predefine the action of Dr. Web Security Space. Please refer to the screenshot regarding the 7 risk types. The default action also depends on the „Operation mode“ preset in „Settings - Protection components - Preventive Protection“.

    As for the Scan Mode, I’d suggest to leave it at the default „Optimal (recommended)“ settings, as system impact will be quite high with paranoid deep scanning huge installer packages etc.

    Also, I’d leave the „Additional tasks“ settings as they are (refer to screenshot above).

    SpIDer Gate monitors contacted URLs and is capable of blocking threats silently in the background. During my tests, this prevented script droppers (.js) from downloading and running ransomware payload. If you experience something being blocked, check the „Statistics“ and click on one of the numbers in the „Threats“ section and change to All events. You might find a blocked URL, with both addresse and reason of interception. If you want, you might activate Desktop notification once a page is blocked, do this in „Settings - Main - Notifications - Notification parameters“.

    This protection module again has a lot to offer in the „Advanced Settings“ part, but be careful with upping the „Block programs“ and „Block objects“ settings, as it might block applications legit for the user calling out and making them malfunction.
    PC_Gate1.JPG PC_Gate1_1.JPG

    I highly recommend to set the Scan mode to „check all HTTP traffic“, as the soft might catch even more threats (like keyloggers). By default, it will only monitor incoming connections.

    Scanning archives and installation packages might have impact on both CPU/RAM usage as well on browsing experience. Decide whether you need it active.

    SpIDer Mail is the mail filter part of Dr. Web Security Space. I cannot tell much about it, have not seen in being active in both Windows 10 default „Mail“ application nor eM Client (which I’m not using anymore). It should work nicely with Microsoft Outlook.

    It has exactly the same settings for the 7 threat types, as well as a scan option for archive and installation package scanning. Anti-Spam feature is preset, you can alter the three options („SPAM“ marking, (dis)allowance for both Cyrillic and Asian text) in „Change parameters“).
    PC_Mail1.JPG PC_Mail1_1.JPG PC_Mail1_2.JPG

    Parental Control feature can be used to limit usage of the computer, if shared with your children. You can set it for each registered user on the PC.
    settings_parental_control.JPG

    Dr. Web Security Space let’s you define accepted and forbidden URLs, usage time, and prevent access to folders and files. You have the following options:

    URL filtering is able to use predefined categories, which can be enabled / disabled to your needs, you can also lock down the internet use to only predefined URLs. You can also force Safe Search in the search engines.

    Computer use times offer either fully configurable times of use (in a timetable GUI) or by a interval time limit, from Monday-Friday as well as for the weekend, from 0,5h up to 8h/day.

    You can also prevent computer usage for specific time frames. All options can be combined to the users needs.

    Usage statistics can be found in „Statistics - Parental Control - click on the User“
    statistics_detailed_parental_control.JPG

    The Firewall can be handled in „Settings - Protection components - Firewall - Operation mode“. You can either let Dr. Web Security Space to decide on rules for known apps, or make it more aggressive by either „Interactive Learning mode“ or by „Block[ing] unknown connections“. Be careful with last mentioned, regarding user experience.

    Make it less aggressive but put yourself to posssible danger (!) by setting it to „Allow unknown connection“.

    The Firewall feature was quite active in my test, even giving alerts for trusted applications, misused by malware hijacking it.
    PC_Firewall.JPG PC_Firewall1_1.JPG PC_Firewall1_2.JPG

    Another useful feature, to be found in „Statistics - Network Activity“ is the monitoring of „Active applications“, as well as a journal for both App activity and sent / received packages (dropdown).
    firewall_network_activity.JPG

    Preventive protection is the most interesting feature IMO, especially regarding the most prevalent threat today, ransomware.
    PC_Preventive1.JPG PC_Preventive1_1.JPG PC_Preventive1_2.JPG PC_Preventive1_3.JPG

    It can again be modified a lot to the users needs, by either choosing the „Medium“, „Paranoid“ or default „Optimal [...]“ preset (see screenshots above). I'd suggest Paranoid, as it offers way more protection, without noticeable user experience nor system impact.

    Users can define settings according to their needs here, I also warn users of possible unwanted malfunction.

    Exploit protection feature will be on „Prevent unauthorized code from running“ in „Paranoid“ preset. I’ve not experienced any incompatibility with this, I’d leave it as is for boosted protection.

    If wanted, you can also deactivate it by „Allow unauthorized code to be executed“ (absolutely not recommended!), or set it to „Interactive Mode“. I’ve not yet noticed a difference to „Prevent unauthorized code from running“.

    Not enough protection settings? Then feel free to alter the „Additional tasks“ in „Scanner“ tab, if you want to have (or have not) installation packages, archives and email files scanned. You can either have Dr. Web doing nothing on default, neutralize (depending on the defined setting) threats or shutdown the PC after neutralization.
    PC_Scanner1.JPG PC_Scanner1_1.JPG

    Of course, we have the option to decide on the default action (ignore, quarantine or delete) for the 7 threat types.

    A full overview on events can be seen in „Statistics - Detailed report“. Use the dropdown to find the type of event you’re interested in.
    statistics.JPG detailed_report.JPG

    Before we move on to the real life experience report, let's have a quick tour trough the Main settings, accessable from the cogwheel icon in the context menu.

    We will start of with the main GUI, from you can import, save and password protect your settings...
    settings_main_0.JPG
    moving on to the submenu, which allows us to decide on various parameters which did not find their place elsewhere...
    settings_main_1.JPG settings_main_1_1.JPG settings_main_1_2.JPG settings_main_2.JPG settings_main_3.JPG settings_main_4.JPG settings_main_5.JPG settings_main_6.JPG settings_main_7.JPG settings_main_8.JPG settings_main_8_1.JPG
    ...being back at the main GUI, we'll skip the above mentioned, additional Parental control settings as well as those for Protection components, but rather have a look at the exclusions.
    settings_exclusions_1.JPG settings_exclusions_2.JPG settings_exclusions_3.JPG settings_exclusions_4.JPG

    To be continued in Act III....
     
  2. Google Adsense

  3. Der.Reisende

    Der.Reisende Malware Tester Silver Member

    Act III: The real life experience report

    Disclaimer I:
    My experiences are solely based on „Paranoid preset“ with no further alterations, and with testing a limited number of 0-day samples (see table). DO NOT EXPECT DR. WEB TO NOT FAIL ON SPECIFIC SAMPLES, IT’S A CAT-AND-MOUSE GAME WITH THE BLACKHATS!
    Therefore, I appeal to every user to have a external backup, not only in case Dr. Web Security Space and it's components fail to protect your data, but also because it might happen to you not only with every Antivirus / Antimalware product, but also due to a physical error which might lead to data loss!

    Disclaimer II:
    Due to the small number of samples used in this tests, you should take results with a grain of salt. I encourage you to compare these results with others and take informed decisions on what security products to use.

    Dr. Web has improved this one in my month testing nicely (by the update feature, note the „Hot addon“ mention in the SUD reports), adding new filters for submitted malware, like Locky or Cerber Ransomware, but also by droppers delivering both a ransomware as well as Kovter trojan. In this conherence, processing of submitted samples can take a long time, my worst experience was with a pack of 5 samples (different threats, you usually should submit each sample on it’s own) taking a week to process, however, one sample infecting the system and hitting some files by ransomware attack was instantly blocked without being able to do any harm the next time a fresh one came across. We'll see it lateron.

    Another example: First time I tried out Dr. Web Security Space, Cerber was capable to completely encrypt my system, now it’s blocked instantly on run, regardless of „Optimal“ preset or „Paranoid“ preset. Unfortunately, I do not have screenshots here.

    First some pure statistics:

    In a total of 45 cases, machine was infected in 12 cases (note the the smallest indicator of an infection like as an autorun or running process causes this rating!). The detection ratio was 45% out of a total of 195 zero day files (just a few hours old, low detection ratio). Dynamic detection (intercepted after run) was 38%. Only 32 files (17%) were not detected.

    Note that the statistics might not look too favourable on first glance, however I really need to point out the improvements I’ve seen during my testing - without specifically contacting Dr. Web support on issues, just submitting the samples tested with a link to the Hybrid Analysis reports!

    GoldenEye Ransomware (Petya / Mischa follow-up)

    wt3.exe creates expand.exe shortly after run, while wt3.exe autoterminates. After about half a minute tries to encrypt files, expand.exe intercepted and autoquarantined. Creates a bunch of ransom notes and encrypts two files before being stopped. Files successfully restored by Dr. Web tool against data loss. HIT.
    GoldenEye (1).JPG GoldenEye (2).JPG GoldenEye (3).JPG GoldenEye (4).JPG GoldenEye (5).JPG

    https://www.reverse.it/sample/cf72f...f095582111248aa4ee81ae4a17c?environmentId=100 --- wt3.exe
    Thank you @silversurfer for the sample!

    Another GoldenEye sample was easily spotted by Dr. Web, not long after release (thank you @Petrovic for the sample, thread to be found here: http://tweakbytes.com/threads/goldeneye-ransomware-16-12-25.4313/):
    Goldeneye_0day_1.JPG Goldeneye_0day_2.JPG

    Double threat - Kovter & Ransomware - comparison


    First sample (16.12.2016):
    „Delivery-Details.wsf drops a1.exe (a Kovter, intercepted by Dr. Web Process dumper) and a2.exe (ransomware), hits some of my files, before getting intercepted by Dr. Web Process HEUR. Files saved by Dr. Web tool against file loss can be still restored (but not those hit yet, not included in the backup as screenshots are taken just while the ransomware attack). HIT.“
    ---No screenshots (see description above).---
    https://www.hybrid-analysis.com/sam...d3553aeaf3039c006c227f6d941?environmentId=100 - Delivery-Details.wsf
    Thank you @silversurfer for the sample!

    Second sample (20.12.2016, same threat, zero day again):
    We can clearly see that Dr. Web has improved the behaviour component („Preventive Protection“) in reaction to the submission of the undetected samples (a total of 4 samples in this pack), which took 5 days to process.

    „Delivery-Details.doc.wsf trigger wscript.exe which calls out silently. Dr. Web Process dumper / SpIDer guard instantly intercept and autoquarantines four threats, including a Kovter. Source file untouched, deleted before firing off 2nd_opinion scans. No files harmed. HIT.“
    double_action_2_1.JPG double_action_2_2.JPG double_action_2_3.JPG
    https://www.hybrid-analysis.com/sam...d3553aeaf3039c006c227f6d941?environmentId=100 - Delivery-Details.doc.wsf
    Thank you @silversurfer for the sample!

    Act IV: Some Final words

    Would I recommend the use of Dr. Web Security Space 11 or later?

    After a one month test, it might be to early to judge, however having tested multiple products in the past, I’m more than impressed on how Dr. Web protected me and improved on weaknesses it showed in the tests.

    Note that any AV will fail at a certain point, however Dr. Web offers you an outstanding feature, which is the most useful in the whole soft IMHO (next to the very good malware protection, which is core of any good AV), called „Data Loss Prevention“ and described in the tools section.

    As long as a ransomware or something else does not manage to encrypt the whole PC, you should be always be able to restore your local (!) backup, at any time to any place you want it to have. The folder where the backup is stored (C:/DrWeb Archive by default) is protected by Dr. Web as it seems, you cannot have a look inside.

    Me purchased a license, and I plan to equip my main PC with this software, too, as it has impressed me a lot the past days. I’ll continue testing the product on 0-day malware.

    However, this is not a sales review but a diary of a use in hands-on malware testing, give it a try and decide whether it fits your needs :)

    Side note: I cannot tell you whether Dr. Web Security Space 11 is compatible to other real-time protection components like as Zemana Anti Malware / Anti Logger or HMP.A.

    I had HMP.A running for a short time next to Dr. Web on my main PC, however either the current release of HMP.A was buggy or it conflicted with Dr. Web (Exploit Protection), however it kept crashing Google Chrome v55.x (the current release), due to some exploit attempt (there wasn’t one, the system was freshly installed and clean).

    The Zemana and Sophos / SurfRight products named above however work flawlessly as 2nd_opinion scanners, experience based on regular use.

    If you find errors, or just want to give feedback on this review, I warmly invite you to do so!

    Thank you for reading!

    =================================================================================
    ACT V: Contacting Support
    While testing, I came across two samples completely new to Dr. Web, not only in terms of static detection by signatures, but also by their behaviour based "Preventive Protection".
    I contacted the support via the respective page (https://support.drweb.com/support_wizard/?lng=en), attaching both the malware and a description of what happened, including the respective Hybrid Analysis report. I received an answer by their support within the 48 hours on workdays (acutally, answer was received 20 hours later). I was asked to rerun the malware causing the issues and to run their service log tool, for them being able to forward it to their technicians. This time, it did only take 2 hours for the reply.
    As soon as feedback is received by their development team, I will update this post.
    Note that plain signatures for the malware in question have been added in time.
    Malware in question:
    hxxp://tweakbytes.com/threads/badencript-ransomware-16-12-27.4334/
    hxxp://tweakbytes.com/threads/derialock.4336/

    support1.JPG support2.JPG BadEncript.JPG DeriaLock.JPG
    EDIT: Added Support answer from 23/01/2017. Behaviour detections to be added in v12.
     
  4. RGiskardR

    RGiskardR Malware Tester Silver Member

    Wow! very deep and detailed review! great work! :cool::clap::glad:
     
  5. omidomi

    omidomi Member

    very great job, thanks :)
     
  6. silversurfer

    silversurfer Malware Tester Silver Member

    Amazing work! :clap: Thank you for your great efforts @Der.Reisende
     
  7. wwd

    wwd Illustrator Silver Member

    Great review!! Thanks :cool:
     
  8. Trim

    Trim MTAC Moderator Staff Member

    Thanks for your great and well explained review @Der.Reisende ! :) Keep up the good work!
     
  9. Der.Reisende

    Der.Reisende Malware Tester Silver Member

    LowcyGier, revC0de, omidomi and 5 others like this.
  10. wwd

    wwd Illustrator Silver Member

    It's really great review, cost you a lot of work, I appreciate it :shake:
     
  11. Der.Reisende

    Der.Reisende Malware Tester Silver Member

    Yes, but it was big fun and as there are next to none reviews on the net (English / German ones) according to my search, it was a honor :)
     
    LowcyGier, revC0de, Trim and 4 others like this.
  12. jasonX

    jasonX Giveaways Moderator Staff Member

    @Der.Reisende,

    Fantastic REVIEW! YEAH! The dev will be proud of this one. Thanks for this review. We will soon have a giveaway of Dr. Web Security Space 11 here at TBT and this review will be linked to the giveaway page! Hats off to the MTAC team for this! That's a clap!

    [​IMG]
     
    LowcyGier, revC0de, Trim and 5 others like this.
  13. Der.Reisende

    Der.Reisende Malware Tester Silver Member

    That's great news! :joy: Makes me proud as well :) Thank you very much @jasonX :shake:
     
    LowcyGier, revC0de, Trim and 4 others like this.
  14. jasonX

    jasonX Giveaways Moderator Staff Member

    Have been at it few weeks after Mom passed away. Dev was just busy and when I was in the thick of it been really waiting on this review. Please do get in touch with our BC2Tweak when you guys can help in the reviews again. Great work fellas :)
     
    LowcyGier, Trim, wwd and 2 others like this.
  15. Der.Reisende

    Der.Reisende Malware Tester Silver Member

    Great, just in time with the review ;) Sure, when I've time (during my studies probably less) might do that with pleasure! Thank you for the trust!
     
    LowcyGier, revC0de, Trim and 2 others like this.
  16. jasonX

    jasonX Giveaways Moderator Staff Member

  17. guardian

    guardian Administrator Staff Member

  18. BC2Tweak

    BC2Tweak Reviews Moderator Staff Member

    Now that's a cool graphic!! :)
     
    jasonX, LowcyGier, revC0de and 3 others like this.
  19. Der.Reisende

    Der.Reisende Malware Tester Silver Member

    jasonX, Trim, LowcyGier and 3 others like this.
  20. BC2Tweak

    BC2Tweak Reviews Moderator Staff Member

    Thanks @jasonX!! That's a super-duper idear!! :D :cool:
     
    jasonX, wwd, LowcyGier and 3 others like this.
  21. revC0de

    revC0de MTAC Moderator Staff Member

    Another AWESOME review, clear and complete! Thanks for your effort!!!

    :great:
     
    jasonX, BC2Tweak, wwd and 6 others like this.
  22. Der.Reisende

    Der.Reisende Malware Tester Silver Member

    Thank you sir, highly appreciated!
     
    jasonX, LowcyGier, BC2Tweak and 5 others like this.
  23. BC2Tweak

    BC2Tweak Reviews Moderator Staff Member

    Very nice Review!! :wide:

    Good explanations for all the Features/Functions, as well as excellent test results!! :joy:

    And thanks for adding the "Support Responses"!! That is a highly valuable addition to the Review. :)

    I am very happy.....:thanx::congrats:!!
     
    wwd, jasonX, Trim and 4 others like this.
  24. ant_gamal

    ant_gamal Member

    Great review and test
     
  25. LowcyGier

    LowcyGier Senior Member Silver Member

  26. hakah

    hakah Junior Member

    Der.Reisende : Thanks a lot for your detailed and in-depth review and test report on Dr. Web Security Space 11.
    Really GOOD WORK and thanks very much for your GREAT EFFORT and VALUABLE TIME !!
     
    LowcyGier, RGiskardR and Der.Reisende like this.

Share This Page