App Review Behavior-Test (BitDefender, Emsisoft, ESET, Kaspersky)

[FrankS]

Hey guys. I did a small behavior-test with 29 Samples downloaded from the Malware Hub. Thank you all for sharing the samples. Without them I could not perform such tests. Have fun

Tested programs:

• BitDefender Total Security 2017 (Beta)
• Emsisoft Internet Security 11 (Final)
• ESET Internet Security 10 (Beta)
  
• Kaspersky Internet Security 2017 (Final)

How did I test?
I...

• Disabled real-time virus scanning
  
• Unpacked the samples to the Desktop and launched them

System-Facts:
Virtualization Software: VMware Workstation
Operating System: Windows 10 Pro x64 - Version 1607
3 Cores of CPU - 8GB RAM

BitDefender Total Security 2017 (Beta)

BitDefender Total Security (Beta): 25/29 - 86,2%
HitmanPro.Alert (not blocked by BitDefender): 2
Total blocked (BitDefender + HMP.Alert): 27/29 - 93,1%
HitmanPro + Emsisoft Emergency Kit scanning result: Not assessable
After the following samples have been executed: Clean
System encrypted: Yes - 1 times
Any picture, text or excel document infected/encrypted: Not assessable
After the following samples have been executed: No
After-test-Scanning via context-menu (checking signaturebased detection): 29/29 - 100%
Setup: Default
Result (in relation to the behavior analysis): Failed - System has been encrypted

Emsisoft Internet Security 11 (Final)

Emsisoft Internet Security: 22/29 - 75,9%
HitmanPro.Alert (not blocked by Emsisoft): 1
Total blocked (Emsisoft + HMP.Alert): 23/29 - 79,3%
HitmanPro + Emsisoft Emergency Kit scanning result: Infected system folders, cleaned up with HMP & EEK
System infected/encrypted: No
Any picture, text or excel document infected/encrypted: No
After-test-Scanning via context-menu (checking signaturebased detection): 29/29 - 100%
Setup: Default
Result (in relation to the behavior analysis): Average - Manual virus scanning needed to clean up

ESET Internet Security 10 (Beta)

ESET Internet Security (Beta): 13/29 - 44,8%
HitmanPro.Alert (not blocked by ESET): 4
Total blocked (ESET + HMP.Alert): 17/29 - 58,6%
HitmanPro + Emsisoft Emergency Kit scanning result: Infected, but usable after restart - cleaned up after restart
System infected/encrypted: No
Any picture, text or excel document infected/encrypted: No
After-test-Scanning via context-menu (checking signaturebased detection): 28/29 - 96,6%
Setup: Custom
Enabled device control
Enabled document protection

Result (in relation to the behavior analysis): Average - system was usable after reboot, but very much infected processes and files on temp/appdata folder while testing/executing the samples

Kaspersky Anti-Virus 2017 (Final)

Kaspersky Anti-Virus: 25/29 - 86,2%
HitmanPro.Alert (not detected by Kaspersky): 1
Total blocked (Kaspersky + HMP.Alert): 26/29 - 89,7%
HitmanPro + Emsisoft Emergency Kit scanning result: Clean
System infected/encrypted: No
Any picture, text or excel document infected/encrypted: No
After-test-Scanning via context-menu (checking signaturebased detection): 29/29 - 100%
Setup: Custom
Disabled "Release resources to the operating system when the computer starts" (Performance)
Changed the action on threat detection to "Delete" (Scan)
Enabled "Detect other software that can be used by criminals to damage your computer or personal data" (Threats and Exclusions)

Result (in relation to the behavior analysis): Passed

 

[N31R]

I haven't watched the videos yet, but KIS uses heuristics and signatures for Application Control classification, so anything detected by signatures will be put into Untrusted and blocked from executing. So it's not really a behavioral test for KIS.
Either use KAV, or modify the Application control rules for the untrusted group so it's like Low restricted (worst case scenario).

 

[mamamia]

Man, you should test ESET too.

 

[Zerion]

Thanks for all the testing, Kaspersky seems like its doing a great job, thought Emsisoft should have scored higher tho, well well!

 

[FrankS]

I haven't watched the videos yet, but KIS uses heuristics and signatures for Application Control classification, so anything detected by signatures will be put into Untrusted and blocked from executing. So it's not really a behavioral test for KIS.
Either use KAV, or modify the Application control rules for the untrusted group so it's like Low restricted (worst case scenario).

Yeah right. I forgot the application control. Edited the thread, will do a new review. Thanks for that hint.

 

[mamamia]

Yeah right. I forgot the application control. Edited the thread, will do a new review. Thanks for that hint.

Can you do the test with ESET 10 Beta?.

 

[DardiM]

Thanks for your nice videos

 

[N31R]

Yeah right. I forgot the application control. Edited the thread, will do a new review. Thanks for that hint.

No problem. You'll probably receive a lot of "PDM:Trojan.Win32.Bazon.a" detections from System Watcher if your samples are relatively old. Kaspersky usually adds cloud "behavioral" detection for known malware samples, which basically is a constantly updated behavioral signature. If you're disconnected from the internet you'll only get the "traditional"/local behavioral detections (PDM:Trojan.Win32.Generic etc.) without the cloud-only signatures.

 

[FrankS]

Can you do the test with ESET 10 Beta?.

No problem. You'll probably receive a lot of "PDM:Trojan.Win32.Bazon.a" detections from System Watcher if your samples are relatively old. Kaspersky usually adds cloud "behavioral" detection for known malware samples, which basically is a constantly updated behavioral signature. If you're disconnected from the internet you'll only get the "traditional"/local behavioral detections (PDM:Trojan.Win32.Generic etc.) without the cloud-only signatures.

Updated:

• replaced KIS 17 by KAV 17
• added ESET IS 10

 

[kiric96]

Hey guys. I did a small behavior-test with 29 Samples. Have fun


ESET Internet Security 10 (Beta)

ESET Internet Security (Beta): 13/29 - 44,8%
HitmanPro.Alert (not blocked by ESET): 4
Total blocked (ESET + HMP.Alert): 17/29 - 58,6%
HitmanPro + Emsisoft Emergency Kit scanning result: Infected, but usable after restart - cleaned up after restart
System infected/encrypted: No
Any picture, text or excel document infected/encrypted: No
After-test-Scanning via context-menu (checking signaturebased detection): 28/29 - 96,6%
Setup: Custom
Enabled device control
Enabled document protection

Result (in relation to the behavior analysis): Average - system was usable after reboot, but very much infected processes and files on temp/appdata folder while testing/executing the samples

/QUOTE]

it seems that you didnt turn off all eset modules, remember that eset has operative memory scan, document integration and so on, what happens here is that although real time scan was off, those modules werent, so you end up with the samples being detected by signatures. Also notice that eset doesnt have a BB, it just have a HIPS which in most of the cases will ask you what to do.

PDT: for the rest nice review bro! i know it takes time to do this kind of stuff keep going!

 

[Evandro]

Norton?, Panda?, Dr.Web?, Trend Micro?...??????????????????????????????
????????????????????????????????????????!
????????????

 

[Kuttz]

If possible you should consider testing Avast Free too. Avast free these days perform as good as what paid BitDefender and Kaspersky
Anti-Virus does for free.

 

[jamescv7]

When it comes to maturity, I should agree that Kaspersky and Bitdefender have established good behavior analysis and blockings for such untoward scenarios unlike some products that rely more on combinational signature techniques.

 

[Like a Western!]

I wish Dr Web was present in this test i assure you finall winner change.

 

[Der.Reisende]

Nice review series these days @FrankS, thank you for the shares
Would you mind to do a test like this on Qihoo 360 Total Security (Essentials), which one doesn't matter, they should have the same features (minus the cleanup stuff and newest features of Total Security in Essentials)? I'm not using it anymore since a few months, but would love to see if they kept up the (very) good HIPS protection level.

 

[spaceoctopus]

Great videos!more please thank you @FrankS

 

[Darlene]

Great review, I prefer that you leave HitmanPro.Alert out of those tests. Bitdefender failed hard in my opinion I know it is in beta, but still expected more of the ransomeware protection.

 

[shmu26]

great test, really liked the whole idea of it.
About kaspersky 2017: it is not yet fully optimized for windows 10 anniversary update. (It lacks in memory protection, if I remember right.) That is the system you were testing on, right? However, Kaspersky 2016 with patch 'e' is fully ready for windows 10 AU.

 

[silversurfer]

Great work ! @FrankS But again a test video with many samples of the HUB.
It would be nice if you could say thank you for the malware samples

 

[FrankS]

Great work ! @FrankS But again a test video with many samples of the HUB.
It would be nice if you could say thank you for the malware samples

Excuse my lack of decency. Of course, I immediately edited the thread.