Serious Discussion Are antiviruses unimportant?

[Dexter_Morgan31]

I've done a test, That test was behavioral analyse test and i tested antiviruses with ransomware that my friend programmed.


And no antivirus blocked it, Ransomware encrypting files with random key through AES-256 since it starts. It was so bad for us because we was trusting behavioral analyse on a zero day attack.

Video link:

And that test pushing us thinking antiviruses is not different from 2000s antiviruses and they are unimportant.

What do you think?

Description about Norton And Avira on test: Avira blocked virus by antivirus, not by behavioral, IT CANT BE TESTED AS BEHAVIORAL ANALYSE. That's why its counted "not blocked", also norton is like avira, counted not blocked.

 

[mlnevese]

So, the products blocked an unknown software from encrypting the user files using one of their modules that recognized an unknown software was trying to access protected files and that module had to be disabled for the encryption to happen, and that counts as not blocked? I don't get the logic here.

As far as I understand it blocking unknown software from accessing protected files counts as behavior blocking.

Also, a good opportunity to test ZoneAlarm Next Gen.

 

[Dexter_Morgan31]

So, the products blocked an unknown file from encrypting the files using one of their modules, that had to be disabled for the encryption to happen, and that counts as not blocked? I don't get the logic here.

Also, a good opportunity to test ZoneAlarm Next Gen.

This is behavioral block test. Not antivirus or HEURISTIC test.


i wrote ZoneAlarm to my mind.

 

[TuxTalk]

Dunno.. use Linux ;-) so no click from me...

 

[lokamoka820]

Not detecting a 0-day malware doesn't mean antivirus are useless, in percentage this situation will be less than 1% in real-world, but not using antivirus software at all will make disaster for about 95% of users, remember that not all users are equals.

 

[Dexter_Morgan31]

Not detecting a 0-day malware doesn't mean antivirus are useless, in percentage this situation will be less than 1% in real-world, but not using antivirus software at all will make disaster for about 95% of users, remember that not all users are equals.

But that is very simple ransomware, even behavioral analyse cant block this, how can it block a real zero day attack? Change my mind. If behavioral analyse cant even block that simple virus, What is difference between 2000's antiviruses and todays?

 

[Victor M]

even behavioral analyse cant block this, how can it block a real zero day attack?

People are betting that they Never get a zero day.

On the flip side, measure how many non-zero days people get.

 

[roger_m]

It seems to be rather a pointless test, when it was it was done with the file shield disabled. Also, why did you use an old version of Norton and not the new one which is based on Avast?

 

[silversurfer]

Instead sharing the test result(s) here to the forum, the OP should rather sending ALL information to the AV vendors mentioned in the first post.
Major AV vendors offers support for paid customers via email or if possible on their community forum.

The question "are antiviruses unimportant?" is dangerous for the majority of web users because without an AV some of them would ending up infected sooner or later.

 

[mlnevese]

But that is very simple ransomware, even behavioral analyse cant block this, how can it block a real zero day attack? Change my mind. If behavioral analyse cant even block that simple virus, What is difference between 2000's antiviruses and todays?

Well you disabled the module that was responsible for protecting user files. The software wasn't trying to open firewall doors, install a kernel level driver or any other suspicious activity AND the module responsible for protecting user files couldn't do anything because it was disabled.

If you want to test heuristics try something that tries to listen to ports, open firewall ports, try to launch a connection to a website or download further payload from the web, install a kernel level driver etc. And keep all modules active. Most if not all modern solutions use an integrated approach to protection.

 

[Trident]

Antivirus software is not unimportant, just the top 4-5 home security vendors together, daily:

• Generate more events on their cloud (look-ups, blocks, updates) than Google, which is estimated to total at about 3.5 bln events daily.
• Block hundreds of thousands of malicious files and sites every single day across millions of machines
• Take hundreds of thousands of security decisions.
• Protect real users in real-life situations from getting screwed.

You should not be testing security software by disabling modules, if a module has produced detection then you should consider the sample as “gone” and you should work on new sample.

In terms of what you call behavioural analyse, the behavioural blocker is not a magician. It does work and it blocks hundreds of zero days every hour. Some of them will be blocked on time, some of them not so much. Some of them will be a total miss. You’ll get better results from solutions whose behavioural blocker is centred around the Mitre ATT&CK and not so much around profiles (that simply block more of what is known).
Home AVs are designed with multiple goals in mind, including silence, performance and lack of false positives, blocking zero-days is not the first priority.

But in this case detections were produced by other modules, at this point it was game over for you and your test.

 

[Kongo]

You should not be testing security software by disabling modules, if a module has produced detection then you should consider the sample as “gone” and you should work on new sample.

Facts.

 

[Andy Ful]

@Dr. Wells ,

Creating one FUD (Fully UnDetected sample) that can bypass behavioral modules of several AVs is always interesting, but unimportant in the wild. Such FUDs happen all the time.
Many of them are detected/blocked when AVs use all modules.
The main difference between current AVs and those from 20 years ago is the complementary usage of different modules. So, some types of ransomware can be detected by the signature (including fuzzy hashes, wildcards, etc.), heuristics, behavior, file reputation, etc., or by the cumulative effect of all mentioned techniques. So, there are possible malware samples that can bypass any single AV module and be detected anyway.
Another main difference is using a special treatment for samples downloaded from the Internet. For example, your sample originating from the Internet could be checked against AV Sandbox in the cloud.
We also have examples of detections via deep learning when all information about malware is used in detection (delivery, code, behavior, file reputation, etc.) and no one knows which element was decisive.

Edit.
One common element is that the chances of infection are similar nowadays compared to 20 years ago.

 

[Dexter_Morgan31]

Friends, WHY are you still say "you did not open all modules"? That's what i said before, Not heuristic, not Ransomware protection test, not antivirus test, That's Behavioral test. It's writing on video title.

On other hand, Yes many web users can eat virus from downloading anything but web users like me, Just scare of zero-day exploits and what can stop it is Behavioral Protection. But what we saw is that antiviruses behavioral analyse cant even block a simple ransomware on video. THAT Ransomware hasn't even a FUD (It dont matter, FUD just hides malware from heuristic protection, not behavioral). Yes i know that behavioral is not magician but it cant even block this. So my trust to antiviruses broken.

 

[Dexter_Morgan31]

Why did you use and old version of Norton and not the new one which is based on Avast?

I'm already testing AVG on video, why needed to test new Norton? is it different from Avast or AVG? also i haven''t got that new update.

 

[Kongo]

Friends, WHY are you still say "you did not open all modules"? That's what i said before, Not heuristic, not Ransomware protection test, not antivirus test, That's Behavioral test. It's writing on video title.

On other hand, Yes many web users can eat virus from downloading anything but web users like me, Just scare of zero-day exploits and what can stop it is Behavioral Protection. But what we saw is that antiviruses behavioral analyse cant even block a simple ransomware on video. THAT Ransomware hasn't even a FUD (It dont matter, FUD just hides malware from heuristic protection, not behavioral). Yes i know that behavioral is not magician but it cant even block this. So my trust to antiviruses broken.

But the thread title makes absolutely no sense. If you disable all modules except behavioural analysis, then it's more likely to fail. So how can anyone decide wether antiviruses are useless or not, when you didn't even let the AV unfold its full potential.

 

[TuxTalk]

Now a days this forum is full of :

 

[Jonny Quest]

But the thread title makes absolutely no sense. If you disable all modules except behavioural analysis, then it's more likely to fail. So how can anyone decide wether antiviruses are useless or not, when you didn't even let the AV unfold its full potential.

And that's why I originally posted (deleted it) that I thought this was a clickbait thread title, to get promotion attention here and on the YouTube Channel.

 

[Dexter_Morgan31]

But the thread title makes absolutely no sense. If you disable all modules except behavioural analysis, then it's more likely to fail. So how can anyone decide wether antiviruses are useless or not, when you didn't even let the AV unfold its full potential.

Bro you're right i should've write more detail to thread title, yes, According to title, For most people antiviruses is not unimportant. But for people like me, Antiviruses is only needed to fight against zero-day exploits. I've been using pc for 10+ years, i just ate 2 virus in my childhood. So that's what i've trying tell you. I hope i'm not understanded wrong. If Behavioral protection is not even enough to block that simple ransomware, Why i need to use antivirus or people who have good info about PC need to use? What's difference between 2000's antiviruses and todays antiviruses for us? Again, If im understanded wrong, im sorry.

 

[wat0114]

All I can say is I will not pay for an antivirus, because they are less than 100% reliable, as well as my usage habits don't warrant the need for av. Imagine paying for an image/restore utility that is less than 100% reliable. That is why I just use the built-in MS Defender with Andy Ful's hardening tools. For Linux I don't use antivirus.