App Review A Bitdefender Internet Security test

[Brahman]

For example the BD could have blocked access to those files if it were tried downloading from the Internet. Just for saying true BD protection may be dependent on combinations of web protection, behavioral, signature based protection etc etc

I don't know why you are forgetting that all those modules were in action except web protection. When a file is executed behavioral, signature based protection modules and etc modules and etc are in action or supposed to be in action. Oh and keep in mind BD has a specific module just to prevent Ransom-ware infection. IMHO the only module not in action was the web protection module. From your point of view, I am forced to assume that BD is only good against the threats arising from net and not good against all other vectors.

 

[Kuttz]

I don't know why you are forgetting that all those modules were in action except web protection. When a file is executed behavioral, signature based protection modules and etc modules and etc are in action or supposed to be in action. Oh and keep in mind BD has a specific module just to prevent Ransom-ware infection. IMHO the only module not in action was the web protection module. From your point of view, I am forced to assume that BD is only good against the threats arising from net and not good against all other vectors.

When one protection module of an anti virus fails the other may be able to protect the system that is what known as multi layered protection in an anti virus. What is the point in ignoring web protection module of an anti virus when it contributes substantial amount of protection to the user ?

 

[Solarquest]

@cruelsister , thanks for the interesting test.
This time I have to disagree on one point. On youtube you said one missed sample is enough not to use an AV. I agree it would be best if an AV detected 100% of malware. Unfortunately we know this is impossible, at least nowadays...we all hope AI , BB, HW solutions etc will help to reach the 100 % detection one day.
One missed Ransomware is bad, very bad...but what about the other ones you had on your desktop? Did Bit detect them?

Fabian made some good point but I also don't agree 100%.
In my opinion a (great) AV should always protect the pc from malware, independent from his origin.
Aggressive URL filters, modules that consider zone identifier help for sure and it is good to know some AV use them...but what if the malware is not detected by the filter or the zone identifier is modified and the malware appears on the HD?
At the end the AV should detect it and protect the device, it doesn't matter what it is, how it appeared on the HD...at least this is what most user expect from it.
No test is perfect as no AV, at least not as of now.
Av-comparatives makes real world test. This is great....but, what samples are used? How old are these? 100% detection, for some AV for many times? Really? Why do we still have so many infected PCs? Are all users so bad and heavy clickers?
Tests where malware is already on the HD show how strong " the final line of defence" of AVs is if all other failed but cannot consider the other detection mechanism.
I like to read the real world tests but I still prefer the ones where many samples are scanned and missed ones are run, at least until someone starts new test based on better criteria.

 

[Solarquest]

When one protection module of an anti virus fails the other may be able to protect the system that is what known as multi layered protection in an anti virus. What is the point in ignoring web protection module of an anti virus when it contributes substantial amount of protection to the user ?

I agree, it would be best to consider it since it is part of the line of defence...but I think it's difficult/impossible to create a test that considers all lines of defence of AV and in the "right" weight.
The problem is that many AV have a URL detection based on a list of bad URLs and not on heuristic/+BB.
How does Bitdefender's Web protection work?
(Btw, I never read it's it's strongest line of defence.)
Independent of this, what if the web protection misses it?
An AV that mostly relies on web detection will leave the user in a "dangerous" situation....

 

[cruelsister]

Hi Guys!

1). The major point about this video (and the two preceding vids) is to attempt to replicate the 100% level (absolute perfection) that the Pro testing sites gave to certain products. Although valid points were made regarding detection from infected URL's and email attachments, it must be said that running the malware as was done in the videos is also valid, mainly because this method was part of the Pro testing methods whose methods I question. For example, AV Comparatives does some (File Detection Tests) of their tests just by running malware as I did, and AVTest states that they as a part of the test run "malicious files that have been transferred from external storage devices"- in other words directly running the malware. So a fail on directly running malware is still a fail and definitely would not yield perfection.

Furthermore about URL and Email protection- Unless a given AV product has a specific block on a malware URL or a file that showed up in an email, in order for the system to be infected something HAS to be run locally on a system to cause the infection and running malware directly will replicate the results when a malicious URL or emailed file is not in their database.

Finally about this- when a product states that they have URL and Email protection it shouldn't be assumed that they will in all cases actually protect. BitDefender has an anti-ransomware module but that didn't work out so well (another case of pretty words...).

2). Why I've been concentrating on ransomware- aside from the fact that Blackhats and script-Kiddies alike have made ransomware the fastest growing segment of malware, the results of the infection are "in your face" with no need for any sort of forensic analysis so will make a point in a more efficient (and dramatic) manner.

Really finally- SolarQuest- BD would have been bypassed by a great many malware files that I have that I didn't include in the testing. In this test of those remaining on the Desktop one would have been blocked if BD was maxxed out, the others sadly not.

 

[Tony Cole]

That's why I use Emsisoft IS, AppGuard (lock down mode) and Sandboxie for web browser.

 

[BoraMurdar]

Like I said before, detection rate is not an equivalent of protection capabilities. If someone run every single sample, day by day, and expect that AV product will protect him 100% of the time, he/she lives in illusion.

100% Protection doesn't exist, although some product can achieve a 100% detection rate from certain malware pack tested.
This two should not be mixed.

 

[ForgottenSeer 55474]

As mentioned above it missed 1 Ransomware, I still love Bitdefender it has saved me so many times.

 

[roxdl]

Hi

Any Antivirus dont Prvicy your system 100% in below link

Video Review - Kaspersky Internet Security 2017 (MAX setting) Prevention and detection Test

kapsersky max setting miss 1 ransom and infected system ! kasper have 100 in av-compare forget this !

 

[Solarquest]

Hi Guys!

1). The major point about this video (and the two preceding vids) is to attempt to replicate the 100% level (absolute perfection) that the Pro testing sites gave to certain products. Although valid points were made regarding detection from infected URL's and email attachments, it must be said that running the malware as was done in the videos is also valid, mainly because this method was part of the Pro testing methods whose methods I question. For example, AV Comparatives does some (File Detection Tests) of their tests just by running malware as I did, and AVTest states that they as a part of the test run "malicious files that have been transferred from external storage devices"- in other words directly running the malware. So a fail on directly running malware is still a fail and definitely would not yield perfection.

Furthermore about URL and Email protection- Unless a given AV product has a specific block on a malware URL or a file that showed up in an email, in order for the system to be infected something HAS to be run locally on a system to cause the infection and running malware directly will replicate the results when a malicious URL or emailed file is not in their database.

Finally about this- when a product states that they have URL and Email protection it shouldn't be assumed that they will in all cases actually protect. BitDefender has an anti-ransomware module but that didn't work out so well (another case of pretty words...).

2). Why I've been concentrating on ransomware- aside from the fact that Blackhats and script-Kiddies alike have made ransomware the fastest growing segment of malware, the results of the infection are "in your face" with no need for any sort of forensic analysis so will make a point in a more efficient (and dramatic) manner.

Really finally- SolarQuest- BD would have been bypassed by a great many malware files that I have that I didn't include in the testing. In this test of those remaining on the Desktop one would have been blocked if BD was maxxed out, the others sadly not.

Thanks for the additional information...missing one malware is bad, missing even more, many in a little pack used also for other AV is a disaster.
People that watched your test understood Bitdefender doesn't offer a 100%detection but probably also got dubious on how bad the situation is....was the one missed one in your video the only one it missed? Many user could live with it...was it one out of many?.... it's a way different story.

 

[KGBagent47]

As mentioned above it missed 1 Ransomware, I still love Bitdefender it has saved me so many times.

Agree, my real world experience with BD has been very satisfactory. I read the 100% detection claims has pertaining to that test not a guarantee against every threat. And the Ransomware Model while not 100% is still an effective extra layer.

 

[cruelsister]

The one thing a person should never do is to attribute the lack of infection to the security product used ("I've used X for years and never was infected!!!"). This is a logical flaw as the users lack of getting infected may (and probably is) be related to knowledge (not downloading stuff from crack sites, not opening up email attachments, etc), or just luck (not ever visiting a legitimate website that hosted maladvertising). But many people don't have this knowledge or lack that luck and will get infected.

Yes, it is a truism that nothing is perfect, but some products are a great deal less perfect than others. The purpose of my videos is nothing more than making this point, hopefully resulting in a user adding an additional layer of defense or moving to a closer to perfect product.

But as for BD- If I was forced to make a really quick breach video this is among the products that come to mind first to be used.

 

[Rodney74]

But as for BD- If I was forced to make a really quick breach video this is among the products that come to mind first to be used.

Always wrecking someones day...lol Bad Cruel Sister....lol

 

[MalwareBlockerYT]

Like I said before, detection rate is not an equivalent of protection capabilities. If someone run every single sample, day by day, and expect that AV product will protect him 100% of the time, he/she lives in illusion.

100% Protection doesn't exist, although some product can achieve a 100% detection rate from certain malware pack tested.
This two should not be mixed.

I agree it's impossible to get 100% since malware is being produced every single second right now across the world. As soon as it hits the web it becomes dangerous & it will take time to locate these malicious applications/URLs, etc & categorise them. It's actually incredible that AVs can get in the 90%s since that is an achievement in itself when you think about how much malware there is out there...

 

[BoraMurdar]

We are not directly connected to malicious sites everyday. There are series of security layers of all the networks malware should exploit in order to get to it's final destination. I wanted to make a point that the probability that you will encounter a true zero day malware (or malware <10 days) old, being able to avoid signature detection from ~10 major AV companies, is really really (did I say really?) small

 

[security.paranoid]

@cruelsister thank you for the videos , i have a question nobody does the endpoints security soft reviews , for example symantec SEP, kaspersky KES , officescan xg and sophos intercept or the local management version ? can you please take a look to the curent offers from major providers ? have a great day

guys the first security layer is the user , test files in vmware , sandboxie ,autosandbox , use separate environment for work don't click on unknown links , use updated hosts block sources , keep system updated this for the experienced user , can a regular user get the same protection automatically ? with a product which use Artificial intelligence even if the PC is not connected to internet ? if there is no such product there no 100% shielded system

 

[Wave]

we all hope AI , BB, HW solutions etc will help to reach the 100 % detection one day.

Impossible because we'd end up mixing genuine software which has more risky behaviour (but with perfect explanations) such as creating windows services and starting them (e.g. to load a device driver), adding to start-up, modifying the hosts file (e.g. some less-popular and less-sophisticated ad-blockers will use this method to block the hosts), etc... So for this type of stuff, automatic would not be best and if it used a scoring system then by the time a score is reached to auto-block the program it may already be too late. And when it comes to alerts, if the user downloaded and ran the malware, chances are they'll accept the BB/HIPS alerts (sadly) and become infected anyway.

But you already know this, I don't aim this post at you. I just quoted that part to respond to the thread.

guys the first security layer is the user , test files in vmware , sandboxie ,autosandbox , use separate environment for work don't click on unknown links , use updated hosts block sources , keep system updated this for the experienced user , can a regular user get the same protection automatically ? with a product which use Artificial intelligence even if the PC is not connected to internet ? if there is no such product there no 100% shielded system

Well said! (gonna add some details, hopefully you like/agree with them)

Using a Virtual Machine will give you benefits since in the case of infection you can revert back via a snapshot and lose the infection; the down-side is that you may have forgotten to back-up files and you should never copy across files from an infected system to a clean state prior to checking that those documents really are clean (e.g. a virus infection can result in the infection of your documents, therefore once they are executed on the clean environment => infection spreads again when the virus code is executed). A sandbox is good but a Virtual Machine is so much better in terms of protection IMO.

Not clicking on unknown/suspicious links will give you benefits since you will reduce your chances of running into a new malicious URL which could potentially attempt to execute an exploit; user-intervention counts as clicking a website link, and the malware authors want to infect you with you providing the most minimal effort for them to do so (makes the job much easier for them), therefore exploitation is slowly becoming more and more common. That being said, exploits can be an entire new dangerous game to play with and can be incredibly hard to create (e.g. a new zero-day exploit) depending on the target, so it is probably rare for anyone here at least to just suddenly run into a zero-day exploit which causes host infection (e.g. the website exploit was executed, resulting in the browser sandbox being bypassed and code execution occurring on the host, usually via shell-code).

Keeping the OS/any other software up-to-date will ensure that the latest security patches are applied which is a line of defence for exploit mitigation; removing any software you no longer need/is outdated or not supported is another great method for exploit mitigation since it'll result in lowered attack points for exploitation.

Using the hosts file to block known malicious/suspicious hosts from a database is a good idea because it can reduce the chances of you becoming a victim of malvertising - that being said, this also counts for using an ad-blocker such as uBlock Origin/Adguard.

Using VPN (Virtual Private Network) can be very beneficial because it can help protect your IP address from falling in the wrong hands - that being said it's not really an "essential" in my opinion, but just an additional line of defence if you are paranoid... Since if an attacker does obtain your IP address, they may potentially use it towards attacks such as DDoS (e.g. via a botnet which has infected many systems) and then this can use up all your internet bandwidth via the packets being sent, resulting in you not being able to use your internet resources properly (basically it'll ruin your evening/s haha!).

Regarding artificial intelligence, it's not as reliable as they make out since it's impossible to 100% differentiate between clean and malicious, 100% of the time. In many situations, the monitored behavior can show clear malicious patterns and the AI would be able to tell that the program has a high percentage of being malicious, but you never know these days.

List can go on... I just wanted to detail some points!

Malware is evolving all the time, the best defence is a layered defence - the first line of defence within this layered defence should be yourself in the end anyway. If you fail then you'll become infected, pretty much.

 

[Brahman]

Malware is evolving all the time, the best defense is a layered defense - the first line of defense within this layered defense should be yourself in the end anyway. If you fail then you'll become infected, pretty much

I agree but only a hand full of people employs a layered defense approach and 99% goes for those well reputed 100% safe products believing that they are 100% protected. These 100% testing results plays a lot in the minds of buyers and users ( I used to believe them) when choosing their security software. Tests by cruelsister is an eye opener even for the members of MalwareTips family and i am extremely thankful to her for educating us .

 

[KGBagent47]

The one thing a person should never do is to attribute the lack of infection to the security product used ("I've used X for years and never was infected!!!"). This is a logical flaw as the users lack of getting infected may (and probably is) be related to knowledge (not downloading stuff from crack sites, not opening up email attachments, etc), or just luck (not ever visiting a legitimate website that hosted maladvertising). But many people don't have this knowledge or lack that luck and will get infected.

Yes, it is a truism that nothing is perfect, but some products are a great deal less perfect than others. The purpose of my videos is nothing more than making this point, hopefully resulting in a user adding an additional layer of defense or moving to a closer to perfect product.

But as for BD- If I was forced to make a really quick breach video this is among the products that come to mind first to be used.

I don't question your test or your superior content knowledge. I only comment that I run BD IS on some very high risk, security ignorant users systems. And I've been severely burnt in the past by some other products, but BD has been a very solid option against actually distributed malware.

 

[KGBagent47]

I agree but only a hand full of people employs a layered defense approach and 99% goes for those well reputed 100% safe products believing that they are 100% protected. These 100% testing results plays a lot in the minds of buyers and users ( I used to believe them) when choosing their security software. Tests by cruelsister is an eye opener even for the members of MalwareTips family and i am extremely thankful to her for educating us .

I don't disagree with you, but at the end of the day the only product she can truly recommend is CIS. Which really isn't an option for some less savoy users, who you can't depend on to isolate an unknown program.