Immunet: Safe as a 2nd AV?

I read the link.  Theis paragraph make absolutely no sernse to me

"But what makes Immunet different from other anti-virus products is that it also incorporates detections for malware from other anti-virus products that may be resident on users’ machines. For example, each time someone’s PC in the Immunet user base encounters a virus, that threat is logged and flagged on a centralized server so that all Immunet users can be protected from that newly identified malware."

Lets assume I am running Norton AV, and it finds a virus, how will signature aumotatically be created for Immunet, who will vaidated it?  Lastly I want a AV company to be pro-active, searching for viruses in the wild and building a defense, rather reactive, waiting for some other AV company to find the problem means they will always be one step behind.

I'm not sure I can answer your question about validation, Michael. False positives continue to be a problem with every AV (some more than others).

But as I understand it, Immunet gathers data from all its users, who use a variety of AVs. As you know, some AVs respond to new threats with updates quicker than others.

It *seems* like a good idea.

Just a quote from WinPatrol's BillP:   "I’m also intrigued by new free software called Immunet but I’m still evaluating its effectiveness.  I can confirm it works well when paired with WinPatrol PLUS."

(The last 2 sentences from his blog here:   http://billpstudios.blogspot.com/2010/03/winpatrol-plus-50-off-for-malware.html )

[I have not tested the product.]

OK...being the resident test dummy here I went ahead and installed this program on both computers yesterday. :emotion-5:  The security programs they have in common are: SAS, MBAM, Spybot S&D, Spyware Blaster, and Win Patrol.

The XP computer uses the Outpost Firewall, Avast 5, Windows Defender, and PC Tools Threatfire in addition to the applications above.  Adding Immunet to this computer seemed to be pretty straightforward as compared to the one below.

The Vista computer uses Online Armor and MSE in addition to the above. Online Armor threw out many more alerts during the installation process...like 30-35 as compared to about half a dozen...than Outpost did, if this means anything. In addition, it is requesting  to allow many other files or processes instead of asking about them. These show up in a larger OA box with more action options, as compared to the smaller box that places itself on the lower right side of the screen. These processes appear to be part of Immunet establishing itself and therefore legit and I allowed them.

Also, had several requests on the Vista machine about  searcheindexer.exe. This appears to be another Windows process, and part of of the installation and "getting to know ya" that Immunet requires. Other than the alerts and the askings to allow stuff, the installations went flawlessly and both cases Immunet did not discover anything on its first scan. I did quick scans of all the programs above and nothing showed up on either computer...it was like Immunet was not there. I do not detect any slowdown or excessive CPU use.

I probably have more programs than I need, but I rarely get alerted to a problem and can't remember the last false positive I have had. Hope this helps. Had to sign in again to make this reply...hope they get that fixed.

Thanks Dale for that feedback. It encourages me to give Immunet a trial. I've been a "crash test dummy" myself for years, but have never considered a 2nd AV, except as a standalone on-demand scanner, with real-time protection disabled.

Using Outpost Firewall Pro on XP Pro here, I always put it temporarily into "Auto-Learn" mode when installing new programs, to avoid alerts. (It automatically reverts to "Rules Wizard" after one hour, if I forget to do so manually).

I believe DC is going offline shortly to correct some problems (hopefully the log-in cookie retention issue, but I'm not holding my breath).

I think the question should be, "Does Immunet do anything useful?"  Doing no harm is not the same as doing something good.

I think the question should be, "Does Immunet do anything useful?"  Doing no harm is not the same as doing something good.

You ask the $60,000 question, Michael, to which I have no answer.

Immunet has not been subjected to independent testing as to its effectiveness. But I find its concept intriguing.

I do know that in medical studies on potentially therapeutic new drugs, studies on safety take precedence over studies on effectiveness.

All I know is that this program installed quickly and easily, with no conflicts while running with my resident AV that I could detect. It does add "iptray" to my startup list, and "Immunet Protect" as a service. It does not slow down my PC or browsers, as far as I can see. It runs a scan in about 30 seconds, and like all my scanners, detects nothing. It says I am protected from 12 million threats.

Which is to say, I too have found no problems with Immunet. No more, no less. It seems safe, and may offer some benefits, yet to be proven.

I don't know if Spybot Search & Destroy or Spyware Blaster do all that much good either. But perhaps they really do stop some stuff or keep a problem from occuring. Because of that I will keep updating and using them unless given information to the contrary.

Update:

It's now been about one month since I installed Immunet Protect (IP). I should point out that this version 1.0.26 is a beta version, and after looking it over and running a scan, decided I didn't want a beta AV running in tandem with my NOD32 AV. I exited the program with a right-click on its tray icon. Or so I thought!

Today I opened my Control Panel> Security Center>Virus Protection, and was surprised to see the following:
"Immunet Protect reports that it is up to date and virus scanning is on." (!)

Belarc Advisor confirmed this, as did Secunia PSI.

So it turns out IP has been running along with NOD32 for almost 4 weeks, with nary a problem or conflict. (I can of course prevent this by blocking its startup with WinPatrol). And nary a single alert or detection over all that time. Now that's a quiet AV.

When I open the program, I'm informed that some 186,000 folks are in the Immunet Cloud, and I'm protected from some 12 million threats.

As far as resources goes, Task Manager shows its service (agent.exe) using about 1/3 the memory that NOD32 does.

A nice overview of IP with screenshots is here:
http://support.immunet.com/index.php/Immunet_Protect_Feature_Guide_(Beta)

IP's on-demand scan of running processes and loadpoint processes (2082 files for me) takes about 30 seconds. This is not a replacement for your conventional AV on-demand scan, but is a quick supplement.

One feature I like is the History and Summary tabs. The resident IP was monitoring all executable files (literally hundreds, most of them in tmp folders) I downloaded in the last month, and declared them all as "known legitimate programs".

There are no "Help" files per se; clicking on "Help" takes you to Immunet's support forum.

Summary:

IP proved to be a 2nd resident AV that ran along side my own AV with no problems for one month. It was so unobtrusive I didn't even know it was resident (and that's embarrassing!). And no false positive detections.

Its version of cloud security is a promising and unique concept, an additional layer of security, and this is a program worth keeping track of. However, I cannot recommend a beta program, and in fact have disabled it properly this time. Its effectiveness at blocking/removing malware has yet to be independently evaluated.

Immunet states it will be releasing a new version shortly, and I will eagerly await it.

Additional info:
http://blog.immunet.com/blog/2010/3/7/how-immunet-detects-threats-in-a-nutshell.html

Hi Guys :emotion-1:

Okay... I can't say I've spent a whole lot of hours researching Immunet and am in no way knocking it, but...

...my main concern here is, as it would be when attempting to run any 2 real-time AVs simultaneously, what happens when you stumble across an actual threat that both programs have a signature for? (Edit; See quote below)

That maybe is where the greatest possibility and danger of a conflict could arise.

Example #1 (post 2)

Example #2

As a harmless test, it might not be a bad idea to download some simulated threats (Eicar, Trojan Simulator), rather than wait for a real threat to pounce.

Edit; Wording.

Edit 2; Added text and quote.

From the Brian Krebs article in Joe's opening post.

BK: If I have Immunet on my system in addition to another anti-virus product, which one speaks up first about an infection? Or will they both? AH: Typically, the other anti-virus product will reside in front of us, but in some cases they don’t. In both cases, they should both alert if they both have [detection for] it. If you are running Kaspersky anti-virus and our stuff, and you download a threat, if Kaspersky detects it, they’ll flag it even if we do as well.

Maybe I'm missing something, but to me this seems like a potential problem where both may try to quarantine the same file.

.my main concern here is, as it would be when attempting to run any 2 real-time AVs simultaneously, what happens when you stumble across an actual threat that both programs have a signature for?

OK, I just had a try running Immunet and Avast, This is in no way a through test as all I have done is try to open the infected files with both AV's running, no system crashes, have not test for slowness and incompatibility issues, just what would happen if both detected a file at the same time.

Results for Avast: (unless stated NO warning box, there was one)

TDL3  Quarantined
LOP  Quarantined
Koobface,  NO warning box but still in Quarantine
W32.Rootkit  Quarantined
W32.Downadup  Quarantined
W32.Fasec x15 different files  Quarantined (2 or 3 files, NO warning box but all in Quarantine)
W32.Monder x8 files Quarantined (1 or 2 as above)
W32.Zapchest x2 files  Quarantined
W32.Obfuscated x2 files Quarantined

Total= 32 malicious files run 28 or so resulted in a warning popup box, ALL in Quarantine.


Results for Immunet:

Popped up them few time that Avast did not,

In Quarantined are 9 of the W32 files out of the 27 W32.Fasec/Monder/Zapchild/Obfuscated so it missed 18 of them files in total.

W32.Downadup was detected (no popup warning) NOT Quarantined
W32Koobface was detected WITH warning box, NOT Quarantined
W32.Rootkit was detected (no popup warning) NOT Quarantined

The malicious .sys file from TDL and the LOP installer are listed in the results window as "A Known Legitimate Program was Installed on your System"

Total= Not very good, I wont be using it.

Hope that helps, I'm really busy this week but will run all them files with the AV's off, and then scan with each program and post the results back here, but that's something to go on for now.

Thanks
K27.


EDIT:

Forgot to add that when you first install Immunet, it prompts for a "Flash Scan" this lasted 50 odd seconds and scanned 2500 or so files and did not flag any of the above files located in a folder in the root of the drive.

RD:

You ask the million dollar question. Thanks for the links.

Those avast examples you cite were from February, using an earlier Immunet beta version. The current list of  security programs supported by Immunet now includes avast Free 5.0:
http://support.immunet.com/index.php/Immunet_Protect_Software_Requirements_(Beta)

Whether this support addresses the issue you raise is moot.

I forgot to say my NOD32 is not listed as as a supported AV, which is another reason why I disabled Immunet.

The eicar testfile isn't much of a robust test, but it was detected by my AV. If I disabled my resident AV, it was detected by Windows Defender. When I disabled WD, it was detected by IE8. Never did get to Immunet detection. The point being there were no conflicts among these programs for this one simple test, in my particular environment.

It will take more than an eicar test to satisfy my reservations however, and  I'll leave the real testing to the experts. Meanwhile, despite my (inadvertant) positive experiences to date, Immunet beta returns to disabled status on my system, for precisely the concern you express.