App Review Avast vs ESET vs Kaspersky vs Emsisoft Detection Test

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Status
Not open for further replies.
Y

yigido

Detection test again? I didn't watch and I won't watch the detection test videos.
Simply 'useless'
Thanks anyway but suggestion for the video owner, "do not waste your time with detection tests, if you want to review softwares please do prevention tests"
Regards,
yigido
 

safe1st

Level 17
Thread author
Verified
Top Poster
Well-known
Jan 29, 2016
812
Detection test again? I didn't watch and I won't watch the detection test videos.
Simply 'useless'
Thanks anyway but suggestion for the video owner, "do not waste your time with detection tests, if you want to review softwares please do prevention tests"
Regards,
yigido

1 question. But why people still want to know about detection ratio on product A, B, etc?
and also this one for an example
AV-TEST – The Independent IT-Security Institute
 
Y

yigido

1 question. But why people still want to know about detection ratio on product A, B, etc?
and also this one for an example
AV-TEST – The Independent IT-Security Institute
Have it your way!
I am trying to teach people detection is not the real protection.. What about "there is no detection for a file?"
Did you run the sample ? Lets say your AV detected 99/100 and the last "ransomware" sample encrypte all your files after run!
What happen then? Can you say to the AV vendor hey it is great product with 99% detection ratio??
Can you re-take your money, did teh vendor give you warranty ?
I do not want to discuss more, please read the first sentence in this post and play your antivirus detection game till forever.
You will never reach anywhere with this game.

Regards,
yigido
 

kiric96

Level 19
Verified
Well-known
Jul 10, 2014
917
Have it your way!
I am trying to teach people detection is not the real protection.. What about "there is no detection for a file?"
Did you run the sample ? Lets say your AV detected 99/100 and the last "ransomware" sample encrypte all your files after run!
What happen then? Can you say to the AV vendor hey it is great product with 99% detection ratio??
Can you re-take your money, did teh vendor give you warranty ?
I do not want to discuss more, please read the first sentence in this post and play your antivirus detection game till forever.
You will never reach anywhere with this game.

Regards,
yigido

lets say you are right, however signatures are one of the first layer of security that AV can have to protect a given user, since I WOULD prefer a file detected before it can do something than while running (it may be possible that some sort of damage can be caused) so this is why no matter how many modules certain AV uses, signatures are the most important part of an AV along with URL protection

thx @safe1st for the nice video as always awesome!
 

novocaine

Level 5
Verified
Well-known
Aug 19, 2016
200
thanks for the video :), but I would say it's unfair for ESET, because the result is about how many malware left right? but you set ESET to "clean" the detected threats, while you set the other AVs to "delete". clean means disinfect or neutralize, so the threats successfully cleaned means it's disinfected or neutralized but the file remains there, the file still inside the folder but it's not harmful anymore, but delete means you absolutely make the whole file disappear, no cleaning, neutralizing or disinfecting effort, an absolute delete, you should re-test :) and of course with ESET cleaning level as "no cleaning" so after scanning complete, you'll be given the option to delete, then it will be equal, I'm sure that among 288 samples you did, there are some malware that successfully cleaned so it left the files behind
 

safe1st

Level 17
Thread author
Verified
Top Poster
Well-known
Jan 29, 2016
812
thanks for the video :), but I would say it's unfair for ESET, because the result is about how many malware left right? but you set ESET to "clean" the detected threats, while you set the other AVs to "delete". clean means disinfect or neutralize, so the threats successfully cleaned means it's disinfected or neutralized but the file remains there, the file still inside the folder but it's not harmful anymore, but delete means you absolutely make the whole file disappear, no cleaning, neutralizing or disinfecting effort, an absolute delete, you should re-test :) and of course with ESET cleaning level as "no cleaning" so after scanning complete, you'll be given the option to delete, then it will be equal, I'm sure that among 288 samples you did, there are some malware that successfully cleaned so it left the files behind

How do I change the scanner's default response to a virus detection?
Advanced scanning options in ESET Windows home products
Strict cleaning: In this mode, your ESET product will automatically clean or delete infected files without user intervention; the only exceptions are system files. If the scanner detects an infected system file that cannot be cleaned, you will be prompted with an alert window that will allow you to select from a list of available actions.

I use strict cleaning in this video.
 
Last edited:

novocaine

Level 5
Verified
Well-known
Aug 19, 2016
200
How do I change the scanner's default response to a virus detection?
Strict cleaning: In this mode, your ESET product will automatically clean or delete infected files without user intervention; the only exceptions are system files. If the scanner detects an infected system file that cannot be cleaned, you will be prompted with an alert window that will allow you to select from a list of available actions.

I use strict cleaning in this video.

edit:

I was wrong, and @safe1st you're right, my understanding about clean and delete got contaminated by other AV , that ESET clean means delete in 'strict cleaning' , thanks
 
Last edited:

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
lets say you are right, however signatures are one of the first layer of security that AV can have to protect a given user, since I WOULD prefer a file detected before it can do something than while running (it may be possible that some sort of damage can be caused) so this is why no matter how many modules certain AV uses, signatures are the most important part of an AV along with URL protection

thx @safe1st for the nice video as always awesome!
great point. 100% agree :)
behaviour blocker or other modules cannot fully protect users from all kinds of malwares and signatures give a hand and deal with them
 

Davidov

Level 10
Verified
Well-known
Sep 9, 2012
470

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
How about doing a new series of test called Proactive test. Disable all components, except the proactive components and execute malware(10 minimum) to see how the AVs can handle it.

great point. 100% agree :)
behaviour blocker or other modules cannot fully protect users from all kinds of malwares and signatures give a hand and deal with them
Well, the same can be said about signature protection. Considering how many malware are being created this very minute, can you imagine how long it takes security companies to be able to catch up to the "bad guys" with signatures?
 
W

Wave

Detection test again? I didn't watch and I won't watch the detection test videos.
Simply 'useless'
Thanks anyway but suggestion for the video owner, "do not waste your time with detection tests, if you want to review softwares please do prevention tests"
Regards,
yigido
I don't think your opinion is correct because what you said isn't an opinion, it's actually a fact that they are useless. Since once the system has already become infected it can be game over where the system has become beyond repair... Or the malware will already have done damage beyond repair (e.g. ransomware has encrypted all your personal documents, sure you can clean the system but now you've lost your files permanently without paying a ransom which is a bad risk in itself, as long as the encryption algorithm used by the ransomware was strong and the sample was made by someone with real knowledge).

In fact, if your system becomes infected and you do not format your hard-drive and then reinstall the OS, no matter how many on-demand scanners/real-time scanners you have running/active, you'll never be certain for if your system is really clean or not, unless you had completely reversed the sample/code which was originally responsible for infecting the machine to understand exactly what it did on your system. E.g. how do you know the sample didn't result in infection of your BIOS (e.g. firmware infection)? Now I'd love to see Malwarebytes Anti-Malware have a go at detecting and cleaning this! :D

Point being, it's all about prevention these days, even if AVs were originally invented with the purpose of cleaning already-infected machines. You install the security product on a clean system and keep your watch out whilst your security software is in the background working as a little extra help... Keep a look out and apply good online practises and chances are you'll be fine (even without additional protection), that is how it should be. Not how it currently is, where people assume they are bullet-proof because they are running the latest version Malwarebytes Anti-Malware in the background and assume one scan of HitmanPro will make their system 100% clean after malware gets through the MBAM real-time...

You know, the ones that are like, "Oh there's a new MBAM update? Lemme install this quick so I can go about downloading a ton of random crap from the web and show off how powerful it is at making me invincible.. Oh wait what? Damn, my files are now encrypted! Damn, MBAM sucks! Microsoft security sucks! Why can't anyone make something decent and care about the users for once?!"....

signatures are the most important part of an AV along with URL protection
We are in 2016 now and we're going into 2017 - believe me, signatures and URL protection are definitely not the 'most important part of an AV' these days, but maybe back in 2012 a few years ago. Signature detection can still be useful because as you said, 'signatures are one of the first layer of security that AV can have to protect a given user, since I WOULD prefer a file detected before it can do something than while running', but the most important? Not a chance, especially these days. Malware authors are improving more and more, a majority of them are familiar with what "packing"/"obfuscation" is, which helps avoid a lot of static detection alone.

Static heuristics are quite important compared to signatures... Therefore, checking the imported functions (and what libraries they are from), checking the exports, scanning the PE File Header for any interesting characteristics, scanning for strings within the binary, checking the resources, even using an unpacking engine to attempt to unpack the packed sample being scanned (if packing has been identified) to scan it properly (since packing techniques will end up concealing things like imported functions).

Regardless, it's incredibly easy for malware authors to avoid signature detection and have their URL undetected (for first launch of their malware at least)...

1 question. But why people still want to know about detection ratio on product A, B, etc?
and also this one for an example
AV-TEST – The Independent IT-Security Institute
Because they don't understand the more important factors or that there is no "best" security product out there, and therefore they come to us asking these questions to help them gain more knowledge, but usually people don't explain how there is no "best" AV and just recommend a product of their fan-boy choice. It's a shame really.

great point. 100% agree :)
behaviour blocker or other modules cannot fully protect users from all kinds of malwares and signatures give a hand and deal with them
It sure has a better chance at catching out zero-day ransomware, rootkits, injectors, keyloggers, worms, downloaders, and other types of malware like general web-browser hijackers/spyware, than signature detection.
 
W

Wave

@yigido

We have someone called Bob and someone called Fiona - Bob is an innocent 15 year old who likes to play some video games from Steam, whereas Fiona on the other-hand is a professional hacker (well really she is just a script kiddie who copy pastes code from the web but for the sake of this, we will call her a "professional hacker" because all script kiddies think they are).

Where is this going you may be wondering? OK so Bob is one day googling "How to crack <game name>" and he finds some suspicious looking downloads but he is click-happy and he is living for the moment so he decides to download it and run it even though he knows it might not be safe because his mum pays the bills and his mums banking details is on the system instead of his own so he doesn't really care.

However, the program he really downloaded was a sample released by Fiona... The master of script kiddies. What did she do? She copy pasted the most basic code off the web (probably StackOverflow or from an CodeProject downloaded project) for key-logging but it's still sufficient enough to identify when keystrokes are being entered as credentials for banking websites. Therefore, when Bobs' mum is using the system for her online banking later on, the credentials become stolen... The keylogger logs are sent back to the attacker (Fiona).

Hmm, now you may be wondering... Why didn't the sample get detected by real-time protection via these amazing, superb, invincible signatures which are the absolute and fore-most important line of defence when it comes to AV software? Well that answer is easy... Fiona downloaded a new FUD packer off a hacking forum for free, ran her sample through the packer, and then released it. Simple as that.

Now Fiona is living the life like she is heaven because she has transferred money from this innocent kids' mother's bank account into her own accounts, and is having happy days wearing her new Gucci and Luis Vuitton shoes and bags.

Now you may be wondering, "hmm so how come the BB/HIPS/Dynamic Heuristics.... didn't block this threat during execution?", well the answer to that is simple as well... Bob was using AVG (instead of Emsisoft) which doesn't really have any real zero-day behavioural protection components which behave and protect like BB/HIPS. :D :p

If only people just watched what they were downloading/running, what websites they were visiting... And if necessary, even what security products they were using! The world would be a better place... More free from infection than not... But it won't happen, impossible. Take this thread as an example of why, with "detection" still being the focus for some as opposed to the "prevention" for mitigating the attacks in the first place!
 
Y

yigido

@Wave

Thank you for your long writings and I am very sad about Bob's mom :( If people will go with the same practices, from 2017 to 4ever , more moms will be un-happy...
So I gave up from long writes to explain things :) People decide what they want.
I am sure Bob disabled the real-time protection to hide his "crack" from AV :D
 
W

Wave

@Wave

Thank you for your long writings and I am very sad about Bob's mom :( If people will go with the same practices, from 2017 to 4ever , more moms will be un-happy...
So I gave up from long writes to explain things :) People decide what they want.
I am sure Bob disabled the real-time protection to hide his "crack" from AV :D
I feel the same way actually, the posts I wrote above will most likely be ignored and people will work in recursive circles. For example, you pointed out the problem with AV detection by mentioning that the prevention is the important factor in AV testing these days first and foremost, and then you got beaten up by people with invalid facts about how signature protection is a god (those words weren't exactly used but you know what I mean). :D

(by "beaten up" I don't mean you got attacked for example, but just mostly ignored.. or people defending their opinions against the truth we live in).

Give it 10 years and people will appreciate the previous posts telling them how it is, but until then people will live with a false sense of security, thinking we are all just "self-proclaimed experts" (are we really that?) :D :p :eek: They can take it how they will... But if someone really thinks what me or you said was wrong, I want them to elaborate why, not just say so... Or the discussion is even more pointless.

People should re-read the quote below, because it is very true but people still think signatures are great... No my friend, they are obsolete! But people are re-explaining and re-explaining and all I ever see is a recursive pattern... Like sheep being hurdled into a barn, then being allowed out, and ending up back in the barn.
Considering how many malware are being created this very minute, can you imagine how long it takes security companies to be able to catch up to the "bad guys" with signatures?
 
Y

yigido

@Wave

About AV signature updates, ..some vendors do not care about my local viruses I saw this before.. and I do not care about detecting a malware which is written for Antartica :D ..day by day..updates coming and sitting on my drive Why? I just accepts antivirus brings usability if you are using default deny. But many of times, AV signatures detects legit files as malware.. I pissed off from these senarios of antivirus.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top