App Review Avast vs ESET vs Kaspersky vs Emsisoft Detection Test

[safe1st]

Hope you all enjoyed the test
Thanks for watching.

 

[yigido]

Detection test again? I didn't watch and I won't watch the detection test videos.
Simply 'useless'
Thanks anyway but suggestion for the video owner, "do not waste your time with detection tests, if you want to review softwares please do prevention tests"
Regards,
yigido

 

[safe1st]

Detection test again? I didn't watch and I won't watch the detection test videos.
Simply 'useless'
Thanks anyway but suggestion for the video owner, "do not waste your time with detection tests, if you want to review softwares please do prevention tests"
Regards,
yigido

1 question. But why people still want to know about detection ratio on product A, B, etc?
and also this one for an example
AV-TEST – The Independent IT-Security Institute

 

[HarborFront]

Hi

Thanks for the video.

So AVAST is having the best detection ratio followed by EAM, ESET and KIS

Can do a similar Prevention Test for the 4 again? I know it'll take a longer time.....

Thanks again.

 

[yigido]

1 question. But why people still want to know about detection ratio on product A, B, etc?
and also this one for an example
AV-TEST – The Independent IT-Security Institute

Have it your way!
I am trying to teach people detection is not the real protection.. What about "there is no detection for a file?"
Did you run the sample ? Lets say your AV detected 99/100 and the last "ransomware" sample encrypte all your files after run!
What happen then? Can you say to the AV vendor hey it is great product with 99% detection ratio??
Can you re-take your money, did teh vendor give you warranty ?
I do not want to discuss more, please read the first sentence in this post and play your antivirus detection game till forever.
You will never reach anywhere with this game.

Regards,
yigido

 

[kiric96]

Have it your way!
I am trying to teach people detection is not the real protection.. What about "there is no detection for a file?"
Did you run the sample ? Lets say your AV detected 99/100 and the last "ransomware" sample encrypte all your files after run!
What happen then? Can you say to the AV vendor hey it is great product with 99% detection ratio??
Can you re-take your money, did teh vendor give you warranty ?
I do not want to discuss more, please read the first sentence in this post and play your antivirus detection game till forever.
You will never reach anywhere with this game.

Regards,
yigido

lets say you are right, however signatures are one of the first layer of security that AV can have to protect a given user, since I WOULD prefer a file detected before it can do something than while running (it may be possible that some sort of damage can be caused) so this is why no matter how many modules certain AV uses, signatures are the most important part of an AV along with URL protection

thx @safe1st for the nice video as always awesome!

 

[novocaine]

thanks for the video , but I would say it's unfair for ESET, because the result is about how many malware left right? but you set ESET to "clean" the detected threats, while you set the other AVs to "delete". clean means disinfect or neutralize, so the threats successfully cleaned means it's disinfected or neutralized but the file remains there, the file still inside the folder but it's not harmful anymore, but delete means you absolutely make the whole file disappear, no cleaning, neutralizing or disinfecting effort, an absolute delete, you should re-test and of course with ESET cleaning level as "no cleaning" so after scanning complete, you'll be given the option to delete, then it will be equal, I'm sure that among 288 samples you did, there are some malware that successfully cleaned so it left the files behind

 

[safe1st]

thanks for the video , but I would say it's unfair for ESET, because the result is about how many malware left right? but you set ESET to "clean" the detected threats, while you set the other AVs to "delete". clean means disinfect or neutralize, so the threats successfully cleaned means it's disinfected or neutralized but the file remains there, the file still inside the folder but it's not harmful anymore, but delete means you absolutely make the whole file disappear, no cleaning, neutralizing or disinfecting effort, an absolute delete, you should re-test and of course with ESET cleaning level as "no cleaning" so after scanning complete, you'll be given the option to delete, then it will be equal, I'm sure that among 288 samples you did, there are some malware that successfully cleaned so it left the files behind

How do I change the scanner's default response to a virus detection?
Advanced scanning options in ESET Windows home products
Strict cleaning: In this mode, your ESET product will automatically clean or delete infected files without user intervention; the only exceptions are system files. If the scanner detects an infected system file that cannot be cleaned, you will be prompted with an alert window that will allow you to select from a list of available actions.

I use strict cleaning in this video.

 

[novocaine]

How do I change the scanner's default response to a virus detection?
Strict cleaning: In this mode, your ESET product will automatically clean or delete infected files without user intervention; the only exceptions are system files. If the scanner detects an infected system file that cannot be cleaned, you will be prompted with an alert window that will allow you to select from a list of available actions.

I use strict cleaning in this video.

edit:

I was wrong, and @safe1st you're right, my understanding about clean and delete got contaminated by other AV , that ESET clean means delete in 'strict cleaning' , thanks

 

[Evjl's Rain]

lets say you are right, however signatures are one of the first layer of security that AV can have to protect a given user, since I WOULD prefer a file detected before it can do something than while running (it may be possible that some sort of damage can be caused) so this is why no matter how many modules certain AV uses, signatures are the most important part of an AV along with URL protection

thx @safe1st for the nice video as always awesome!

great point. 100% agree
behaviour blocker or other modules cannot fully protect users from all kinds of malwares and signatures give a hand and deal with them

 

[Davidov]

1 question. But why people still want to know about detection ratio on product A, B, etc?
and also this one for an example
AV-TEST – The Independent IT-Security Institute

Hey, it is useless to fret will always be someone who wants to test detection and then again anyone who wants a BB dinamic test, sandbox etc. Thanks for the test

 

[adnage19]

Personally, I'm not so interested in Detection test either. It would be great if you couldo more behavior battles (with disabled antivirus module)
Or... Max 150 samples - detection test first and then run not detected files.

 

[anonymous1xx1]

thank you

 

[Azure]

How about doing a new series of test called Proactive test. Disable all components, except the proactive components and execute malware(10 minimum) to see how the AVs can handle it.

great point. 100% agree
behaviour blocker or other modules cannot fully protect users from all kinds of malwares and signatures give a hand and deal with them

Well, the same can be said about signature protection. Considering how many malware are being created this very minute, can you imagine how long it takes security companies to be able to catch up to the "bad guys" with signatures?

 

[Wave]

Detection test again? I didn't watch and I won't watch the detection test videos.
Simply 'useless'
Thanks anyway but suggestion for the video owner, "do not waste your time with detection tests, if you want to review softwares please do prevention tests"
Regards,
yigido

I don't think your opinion is correct because what you said isn't an opinion, it's actually a fact that they are useless. Since once the system has already become infected it can be game over where the system has become beyond repair... Or the malware will already have done damage beyond repair (e.g. ransomware has encrypted all your personal documents, sure you can clean the system but now you've lost your files permanently without paying a ransom which is a bad risk in itself, as long as the encryption algorithm used by the ransomware was strong and the sample was made by someone with real knowledge).

In fact, if your system becomes infected and you do not format your hard-drive and then reinstall the OS, no matter how many on-demand scanners/real-time scanners you have running/active, you'll never be certain for if your system is really clean or not, unless you had completely reversed the sample/code which was originally responsible for infecting the machine to understand exactly what it did on your system. E.g. how do you know the sample didn't result in infection of your BIOS (e.g. firmware infection)? Now I'd love to see Malwarebytes Anti-Malware have a go at detecting and cleaning this!

Point being, it's all about prevention these days, even if AVs were originally invented with the purpose of cleaning already-infected machines. You install the security product on a clean system and keep your watch out whilst your security software is in the background working as a little extra help... Keep a look out and apply good online practises and chances are you'll be fine (even without additional protection), that is how it should be. Not how it currently is, where people assume they are bullet-proof because they are running the latest version Malwarebytes Anti-Malware in the background and assume one scan of HitmanPro will make their system 100% clean after malware gets through the MBAM real-time...

Spoiler: Joke

You know, the ones that are like, "Oh there's a new MBAM update? Lemme install this quick so I can go about downloading a ton of random crap from the web and show off how powerful it is at making me invincible.. Oh wait what? Damn, my files are now encrypted! Damn, MBAM sucks! Microsoft security sucks! Why can't anyone make something decent and care about the users for once?!"....

signatures are the most important part of an AV along with URL protection

We are in 2016 now and we're going into 2017 - believe me, signatures and URL protection are definitely not the 'most important part of an AV' these days, but maybe back in 2012 a few years ago. Signature detection can still be useful because as you said, 'signatures are one of the first layer of security that AV can have to protect a given user, since I WOULD prefer a file detected before it can do something than while running', but the most important? Not a chance, especially these days. Malware authors are improving more and more, a majority of them are familiar with what "packing"/"obfuscation" is, which helps avoid a lot of static detection alone.

Static heuristics are quite important compared to signatures... Therefore, checking the imported functions (and what libraries they are from), checking the exports, scanning the PE File Header for any interesting characteristics, scanning for strings within the binary, checking the resources, even using an unpacking engine to attempt to unpack the packed sample being scanned (if packing has been identified) to scan it properly (since packing techniques will end up concealing things like imported functions).

Regardless, it's incredibly easy for malware authors to avoid signature detection and have their URL undetected (for first launch of their malware at least)...

1 question. But why people still want to know about detection ratio on product A, B, etc?
and also this one for an example
AV-TEST – The Independent IT-Security Institute

Because they don't understand the more important factors or that there is no "best" security product out there, and therefore they come to us asking these questions to help them gain more knowledge, but usually people don't explain how there is no "best" AV and just recommend a product of their fan-boy choice. It's a shame really.

great point. 100% agree
behaviour blocker or other modules cannot fully protect users from all kinds of malwares and signatures give a hand and deal with them

It sure has a better chance at catching out zero-day ransomware, rootkits, injectors, keyloggers, worms, downloaders, and other types of malware like general web-browser hijackers/spyware, than signature detection.

 

[tonibalas]

Avast has improved it's detection rate, well done.
As for the other products their detection rate is also very good.
Thanks @safe1st for the review

 

[Wave]

@yigido

Spoiler

We have someone called Bob and someone called Fiona - Bob is an innocent 15 year old who likes to play some video games from Steam, whereas Fiona on the other-hand is a professional hacker (well really she is just a script kiddie who copy pastes code from the web but for the sake of this, we will call her a "professional hacker" because all script kiddies think they are).

Where is this going you may be wondering? OK so Bob is one day googling "How to crack <game name>" and he finds some suspicious looking downloads but he is click-happy and he is living for the moment so he decides to download it and run it even though he knows it might not be safe because his mum pays the bills and his mums banking details is on the system instead of his own so he doesn't really care.

However, the program he really downloaded was a sample released by Fiona... The master of script kiddies. What did she do? She copy pasted the most basic code off the web (probably StackOverflow or from an CodeProject downloaded project) for key-logging but it's still sufficient enough to identify when keystrokes are being entered as credentials for banking websites. Therefore, when Bobs' mum is using the system for her online banking later on, the credentials become stolen... The keylogger logs are sent back to the attacker (Fiona).

Hmm, now you may be wondering... Why didn't the sample get detected by real-time protection via these amazing, superb, invincible signatures which are the absolute and fore-most important line of defence when it comes to AV software? Well that answer is easy... Fiona downloaded a new FUD packer off a hacking forum for free, ran her sample through the packer, and then released it. Simple as that.

Now Fiona is living the life like she is heaven because she has transferred money from this innocent kids' mother's bank account into her own accounts, and is having happy days wearing her new Gucci and Luis Vuitton shoes and bags.

Now you may be wondering, "hmm so how come the BB/HIPS/Dynamic Heuristics.... didn't block this threat during execution?", well the answer to that is simple as well... Bob was using AVG (instead of Emsisoft) which doesn't really have any real zero-day behavioural protection components which behave and protect like BB/HIPS.

If only people just watched what they were downloading/running, what websites they were visiting... And if necessary, even what security products they were using! The world would be a better place... More free from infection than not... But it won't happen, impossible. Take this thread as an example of why, with "detection" still being the focus for some as opposed to the "prevention" for mitigating the attacks in the first place!

 

[yigido]

@Wave

Thank you for your long writings and I am very sad about Bob's mom If people will go with the same practices, from 2017 to 4ever , more moms will be un-happy...
So I gave up from long writes to explain things People decide what they want.
I am sure Bob disabled the real-time protection to hide his "crack" from AV

 

[Wave]

@Wave

Thank you for your long writings and I am very sad about Bob's mom If people will go with the same practices, from 2017 to 4ever , more moms will be un-happy...
So I gave up from long writes to explain things People decide what they want.
I am sure Bob disabled the real-time protection to hide his "crack" from AV

I feel the same way actually, the posts I wrote above will most likely be ignored and people will work in recursive circles. For example, you pointed out the problem with AV detection by mentioning that the prevention is the important factor in AV testing these days first and foremost, and then you got beaten up by people with invalid facts about how signature protection is a god (those words weren't exactly used but you know what I mean).

(by "beaten up" I don't mean you got attacked for example, but just mostly ignored.. or people defending their opinions against the truth we live in).

Give it 10 years and people will appreciate the previous posts telling them how it is, but until then people will live with a false sense of security, thinking we are all just "self-proclaimed experts" (are we really that?) They can take it how they will... But if someone really thinks what me or you said was wrong, I want them to elaborate why, not just say so... Or the discussion is even more pointless.

People should re-read the quote below, because it is very true but people still think signatures are great... No my friend, they are obsolete! But people are re-explaining and re-explaining and all I ever see is a recursive pattern... Like sheep being hurdled into a barn, then being allowed out, and ending up back in the barn.

Considering how many malware are being created this very minute, can you imagine how long it takes security companies to be able to catch up to the "bad guys" with signatures?

 

[yigido]

@Wave

About AV signature updates, ..some vendors do not care about my local viruses I saw this before.. and I do not care about detecting a malware which is written for Antartica ..day by day..updates coming and sitting on my drive Why? I just accepts antivirus brings usability if you are using default deny. But many of times, AV signatures detects legit files as malware.. I pissed off from these senarios of antivirus.