Most of the McAfee engines are pre-execution based. They use a decision matrix of several engines (7-8 engines), of which only one (Real Protect) is post-execution.
Plus they operate a large reputation pool.
ATP Test: How easily Windows can be tricked by malware
- Thread starter SeriousHoax
- Start date
Plus they operate a large reputation pool.
But we should keep in mind that ATP is completely different from that of real-world protection regarding AVC tests.
For example, Bitdefender in AVC excelled in ATP, while it was subpar to MD in real-world protection.
For example, Bitdefender in AVC excelled in ATP, while it was subpar to MD in real-world protection.
I prefer pre execution block as well, for the firewall to @Jonny Quest, But for a user that wants a "slimmed down" setup. I.E built in security instead of a extra app.
I believe MD is more than enough, maybe not out of the box, but when tweaked it can seem to be a powerhouse..
I appreciate it, but I'm more of a 3rd party AV type, just a personal preference thing
And, I do like Brave much better than I.E.
I appreciate it, but I'm more of a 3rd party AV type, just a personal preference thing
I appriciate the joke, and I understand you, as my old chef used to say "Different strokes for different folks"
LOL...I was thinking of that very song about 10 minutes ago, Sly and the Family Stone - Everyday People (includes those lyrics)
I’m surprised that ESET Ultimate could not block the threat with their LiveGuard module. It should have blocked the threat with LiveGuard. One of the reasons I use Smart Security Premium is because of the LiveGuard and Folder Protection.MD was probably left at default settings. I wonder if MD Max Protection and Firewall Hardening could have prevented the attack. But one should always keep a backup just for these types of scenarios. Infostealer on the other hand is much more dangerous than a ransomware imho. Ransomeware attacks can be rolled back if you have a backup but infostealer stealing your data is a huge nightmare .
F
ForgottenSeer 123960
"I’ve highlighted the role of habits in my first message, please take a closer look at those details as they are essential to the solution.
Home Users
Most commonly encounter these via malicious downloads (pirated software, "cracks," or fake updates) and phishing emails with attachments like ISO files or ZIP archives.
Home Users
Most commonly encounter these via malicious downloads (pirated software, "cracks," or fake updates) and phishing emails with attachments like ISO files or ZIP archives.
Yes, indeed.
The test scenario is significantly different from what a cautious user encounters on a daily basis.
Although this is @Andy Ful area of expertise, I would be willing to bet on it.
But even if it's no, I'm sticking with MD, who I think has done well.
MD missed the attack vector number 3. It uses the .bat file to run Curl LOLBin, which downloads the payload. Next, the payload DLL is executed via RunDLL32 LOLBin.
MD can fully mitigate the attack on the execution stage when the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion" is enabled. This rule can block mainly new EXE files, but also new DLL files executed via RunDLL32.
FirewallHardening will block Curl from downloading the payload (the attack can be blocked at the initial stage).
If you don’t mind me asking, why did you ditch ESET?
Does ESET Protect Advanced have extra security features compared to ESET Ultimate? The Home version failed but the endpoint version passed.
F
ForgottenSeer 123960
@Andy Ful 's point regarding ASR Rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion" is the primary NIST-recommended hardening step for this vector. By enforcing a "reputation" requirement on the DLL, the system blocks the execution even if rundll32.exe (the parent process) is trusted.
Block LOLBin Internet Access
Use your firewall to prevent built-in Windows tools (LOLBins) like curl.exe, powershell.exe, and certutil.exe from initiating outbound connections to the public internet unless required for a specific business task.
For products like ESET, ensure the following modules are active and set to a "Smart" or "Aggressive" mode.
HIPS (Host Intrusion Prevention System)
Configure rules to monitor for unauthorized modifications to the %SystemRoot%\System32\ directory, which is a primary target for placing phantom DLLs.
Advanced Memory Scanner & Ransomware Shield
These modules are essential for detecting malicious code once it has been sideloaded into a legitimate process.
Focus on maintaining secure digital habits to prevent avoidable risks. This includes avoiding pirated software, 'cracks,' or illegitimate updates, and staying vigilant against phishing attempts.
Block LOLBin Internet Access
Use your firewall to prevent built-in Windows tools (LOLBins) like curl.exe, powershell.exe, and certutil.exe from initiating outbound connections to the public internet unless required for a specific business task.
For products like ESET, ensure the following modules are active and set to a "Smart" or "Aggressive" mode.
HIPS (Host Intrusion Prevention System)
Configure rules to monitor for unauthorized modifications to the %SystemRoot%\System32\ directory, which is a primary target for placing phantom DLLs.
Advanced Memory Scanner & Ransomware Shield
These modules are essential for detecting malicious code once it has been sideloaded into a legitimate process.
Focus on maintaining secure digital habits to prevent avoidable risks. This includes avoiding pirated software, 'cracks,' or illegitimate updates, and staying vigilant against phishing attempts.
Your last paragraph sums it up. The end user should ultimately be mindful and keep his/her guard while being online.
As for ESET, I find their HIPS and anti ransomware guard useless. They can delete those two from their product. HIPS is not at all configurable and I do wish they had an aggressive mode for HIPS with some predefined rules. HIPS even at smart setting would not have been able to prevent this attack.
Home products are tested on default settings while for Endpoint products the vendor can configure however they want. So Aggressive sensitivity or some other policy might have made a difference. In Endpoint, LiveGuard's threshold for detection can be lowered also to increase detection.Does ESET Protect Advanced have extra security features compared to ESET Ultimate? The Home version failed but the endpoint version passed.
F
ForgottenSeer 123960
ESET HIPS Smart Mode can effectively stop the problem if the custom rule is created I mentioned in my post.
The technical reason is that ESET’s HIPS logic is designed to honor all custom user rules, regardless of whether the system is in Automatic, Smart, or Learning mode. While Smart Mode is programmed to be "quiet" and only notify you of very suspicious events by default, adding a specific manual rule creates a mandatory check that overrides the standard automated filtering.
In HIPS, manually created rules are evaluated alongside pre-defined system rules. By explicitly creating a rule to monitor or block modifications to %SystemRoot%\System32\, you are instructing ESET to ignore its "Smart" reputation-based whitelist for that specific path.
Last edited by a moderator:
You may also like...
-
Advanced Threat Protection (ATP) AV.TEST test January - June 2025
- Started by tasos83
- Replies: 157
-
AV-TEST Awards 2025: celebrating the very best of IT security products- Started by Parkinsond
- Replies: 22
-
Advanced Threat Protection (ATP) Test 2024- Started by Gandalf_The_Grey
- Replies: 1
-
Malwarebytes Anti-Malware Premium Re-Test- Started by Shadowra
- Replies: 18
-
Real-World Protection Test February-May 2025
- Started by Gandalf_The_Grey
- Replies: 40