AV-Comparatives Real-World Protection report (September '17)

[AlanOstaszewski]

Trend Micro had 80 FPs, while Norton had a whopping 274 false alarms!

Chill. Theese files are key generators or controversial programs. https://malwaretips.com/threads/22-9-23-2.75676/ had two false positive samples and Symantec blocked them too. Programs like Office or Firefox that you're using everyday wouldn't be never ever blocked by Symantec. Like you actually said:

we should take these tests with a grain of a salt

without

but

But in the whole I can understand your argument.

 

[ForgottenSeer 65219]

I see some People Confused here!
Believe me or not Microsoft architect Operating System, DataBase, IDE etc.
I'm officially switching to Windows Defender
Because I don't want to destabilize My Work System by great Protection of Bitdefender, Kaspersky & etc
I'm Prefer Lab Test to Youtube channel.I'm guilty from this point.

 

[mlnevese]

F-Secure has so many false positives in these tests I sometimes feel like testing it to see if it's really so bad...

 

[Deleted member 65228]

F-Secure has so many false positives in these tests I sometimes feel like testing it to see if it's really so bad...

I assume it is related to the DeepGuard component?

 

[amico81]

I see some People Confused here!
Believe me or not Microsoft architect Operating System, DataBase, IDE etc.

thats true..but i dont see the defender for average user. In our malware-hub the defender rocks....impressive...but with tweaks!!!!
my grandmother cannot tweak the defender for best protection. microsoft should work at the control

 

[mlnevese]

I assume it is related to the DeepGuard component?

Most probably... I really would like to see if normal day to day usage actually triggers any false positives...

 

[russ0408]

thats true..but i dont see the defender for average user. In our malware-hub the defender rocks....impressive...but with tweaks!!!!
my grandmother cannot tweak the defender for best protection. microsoft should work at the control

Most antivirus programs need tweaks for optimum performance, Avast, Kaspersky so why not Windows defender?

 

[JChris]

Never herd of CrowdStrike !

I believe another user talked about CrowdStrike in this thread, but I'd like to add a bit more of information: CrowdStrike shouldn't really be in that comparison, as their solution isn't an antivirus per se, rather, it's an advanced threat protection solution, as they focus on advanced persistent threat (APT). They "lie" a bit telling that their solution can replace signature based AVs, but in the end, they can't (yet). The best scenario (which is very costly) is having endpoint AV + ATP.

Their main solution is CrowdStrike Falcon, an ATP solution for enterprise endpoints. They also sell the Falcon Search Engine (previously named as Falcon MalQuery), which is a search engine for IOCs. They claim (and I believe in them) that their database is the largest out there, as they have integration with Virustotal and also have their own sensors, the search engine is very powerful. Their solutions are all clouds based, so this is a thing to consider if you have subnets in your network that are not allowed to go to Internet (they don't have the option to deploy internal cloud). They are the #2 AWS client, only losing to Netflix, so this might show you the scale we are talking about.

They also offer threat intelligence services and other things. There is a lot more to be said about them, but I believe that will give you a hint.

I know about that because I ran a POC with their ATP solution for my company, and they did a great job spotting APT techniques, but failed to spot some community malwares that any "big name" AV would spot.

About Falcon Search Engine:

 

[russ0408]

I don't know why everyone is so shocked about Windows Defender doing so well. We are talking about the company that develop the most used computer operating system in the world, and probably have the largest virus data bank in the world. I think Microsoft realizes if they want more people to get on board with Windows 10 they will have to make it secure. Previously Microsoft backed off and let third party security companies battle for supremacy, now Microsoft is starting to come to the forefront and people will realize they don't need pay the extra cost of third party security.

 

[Nightwalker]

Chill. Theese files are key generators or controversial programs. https://malwaretips.com/threads/22-9-23-2.75676/ had two false positive samples and Symantec blocked them too. Programs like Office or Firefox that you're using everyday wouldn't be never ever blocked by Symantec. Like you actually said:

without

But in the whole I can understand your argument.

No, they arent. AV Comparatives doesnt use those files in the clean sample set, you can read AMTSO false positives test guidelines for more info.

Symantec now has a outrageous number of false positives because of its Machine Learning algorithm and its cloud reputation; what is really annoying is that Norton likes to auto-delete everything and some files dont get a copy in the quarantine.

 

[Nightwalker]

I don't know why everyone is so shocked about Windows Defender doing so well. We are talking about the company that develop the most used computer operating system in the world, and probably have the largest virus data bank in the world. I think Microsoft realizes if they want more people to get on board with Windows 10 they will have to make it secure. Previously Microsoft backed off and let third party security companies battle for supremacy, now Microsoft is starting to come to the forefront and people will realize they don't need pay the extra cost of third party security.

I fully agree with you, Microsoft has the biggest malware telemetry and this results in a big advantage in the modern age of cloud and machine learning protection.

 

[Handsome Recluse]

Most antivirus programs need tweaks for optimum performance, Avast, Kaspersky so why not Windows defender?

Isn't Defender the most used antivirus? If so, there's incentive to be tweakless.

 

[mlnevese]

Microsoft should make all options available in the GUI. Few people have the knowledge to mess with policy and registry editors.

 

[russ0408]

Microsoft should make all options available in the GUI. Few people have the knowledge to mess with policy and registry editors.

I agree, maybe that will be coming in future updates.

 

[ForgottenSeer 58943]

I told people a few months ago Microsoft would start scoring high.

Not because I had brilliant insight.. Well.. Joxean Koret told me so personally and few people know more than he about AV.

 

[CMLew]

Im still surprised that quite a no. of ppl here still rely on these "allegedly" inappropriate comparison site for the better (or the best) security software. lol...

 

[Handsome Recluse]

Im still surprised that quite a no. of ppl here still rely on these "allegedly" inappropriate comparison site for the better (or the best) security software. lol...

It is still something to talk about.

 

[Sunshine-boy]

I never had FP problems with Deepguard sometimes it will block some uncommon tools that have not valid dig sig or smth like that but it will never block a legitimate and famous software Like media player?!so there is no FP for me
This is the way Deepguard works:

DeepGuard’s behavioral analysis is activated by two events. When a program is launched for the first time, DeepGuard analyses it to determine if it is safe to run. Subsequently, DeepGuard continues to monitor the program while running.
1. Pre-launch analysis When a program is first executed, regardless of how it is launched (the user clicks the file icon, an e-mail attachment or program initiates it, etc.), DeepGuard temporarily delays it from executing in order to perform the following checks:
1.1 File reputation check If an Internet connection is available, DeepGuard sends a query to the Security Cloud (below) to check for the latest information on the program’s reputation in the clean file database, which contains the latest security evaluations for a vast catalog of commonly used applications. This database is maintained and constantly updated by F-Secure Labs analysts. Programs that have been rated as clean in the database are allowed to bypass additional checks and launch immediately, whereas known malicious files are blocked at once.

Read more here:
https://www.f-secure.com/documents/996508/1030745/deepguard_whitepaper.pdf
Deepguard needs internet connections so without an internet connection it may block legitimate software: D

 

[509322]

Well I don't care what Real-World Protection Test - AV-Comparatives says i am sticking with Emsisoft | Anti-Malware: Lightweight Malware Protection for the Home for the time being. More than happy with it.

3 files out of 100. Statistically nothing to fret about. And in your case, statistically, it is a moot point because you are not a prolific downloader. So you will be happy while the typical person here plays their monthly game of switching to a new security config.

 

[509322]

Edit:
Sorry, I forgot this was a dynamic test and didn't include signatures. Regardless though, in reality the Emsisoft Behavior Blocker has the potential to protect the user a lot more than Windows Defender IMO. It is nice to see Microsoft improving a lot and taking things more seriously though.

Make it a 24\365 real-time dynamic test with samples drawn from the four corners of the Earth and the results will be different. I can't say better or worse for each vendor as one really cannot know, but I do know the established patterns shown every month in the Comparatives test will almost certainly not be present in such a test's final results.

These monthly threads are very childish and, in my observation, one of the leading causes of drama on the forum. You know what I mean.