Thanks for the detailed response !The Comparison itself might be wrong :
Let me say how this works :
SW works for certain actions to get triggered
Modification of start up, Encrypt few files, then rolls back all the malicious actions to a previous state (With a Restart)
SW intelligence lies in Rollback System
DG: DG intercepts and reacts faster in most cases. It just BLOCKS the actions. All the remnants will remain on the system.
SONAR : Above SW in capability. Catches some highly sophiscated malware than other Behavior blockers. But in some rare cases Analysis takes a bit more time, before a verdict is reached. Works with Heuristics( R.T) protection. Removal depends upon the threshold level of malicious Behavior.
From the above, it is clear phenomena of work differs. Some react late but later result is Clean, some react faster but System remains Not clean.
Moreover all BB require constant updates to trace the behaviors with time. If a BB fails against a simple malware, but catches a Highly sophiscated one,, then -------.
Constant development, User threat statiatics is vital for any BB ( Vendor) for effective working.
I say "NO VOTE" because no one situation can trigger the effectiveness of any BB, but as per tests I pick SONAR, SW. (Only based on tests)*
what does it do until a verdict is reached? does it allow? does it block? or is this configurable ?Analysis takes a bit more time, before a verdict is reached.
Application Control is application whitelisting ? some sort of anti-exe based on getting a verification from Kaspersky's cloud ?On its own, I believe SONAR can be a clear winner. Nevertheless, SystemWatcher when used with Application Control and several other modules of the suite is unbeatable.
How does Emsisoft behavioral blocker component compare to the 3 mentioned in the poll ? Is there any testing of it ?i will say Emsisoft Antimalware as i am use it and say it is one of the best i used i think sonar is aggressive when i used it before which caused a lot of false positive (this was in Norton security Not symantic i do not know about it )
for system watcher it is Fantastic but i found kaspersky bit consuming for the resources
Deep guard i didnot try it before as i think F secure UI is ugly
i just posted a video of it .its behavior blocker was fantastic against ransomware here is the link for itHow does Emsisoft behavioral blocker component compare to the 3 mentioned in the poll ? Is there any testing of it ?
Application Control is a module included in Kaspersky suites, which is strictly connected with firewall rules and Kaspersky's Vendor List. It divides all files into groups:Application Control is application whitelisting ? some sort of anti-exe based on getting a verification from Kaspersky's cloud ?
Thanks, how does it do against other threats, eg how did it do against Astaroth
Read this:Thanks, how does it do against other threats, eg how did it do against Astaroth
Dismantling a fileless campaign: Microsoft Defender ATP's Antivirus exposes Astaroth attack - Microsoft SecurityAdvanced technologies in Microsoft Defender ATP's Antivirus exposed and defeated a widespread fileless campaign that completely “lived off the land” throughout a complex attack chain that run the info-stealing backdoor Astaroth directly in memorywww.microsoft.com
back when Astaroth was 0-day ( not blocked by signatures )
That's indeed cool ! Emsisoft is officially then the 4th option, even if not part of the poll.I would be curious how Deepguard performs against the same.
The Emsisoft behavior blocker is indeed impressive. Yesterday I was building a project that involved batch files downloading other scripts from github and executing them, and that got flagged. Even using a not-well-known build of VMWare Workstation triggered “injector” detection.
The downside though is without cloud reputation serving as a whitelisting mechanism it seems like these behavior blockers would be pretty FP-prone. All depends on the balance one desires between FP’s versus escapes.
Behavioral monitoring will be inefficient, if not ineffective, against the latest and greatest application exploits.To be honest I'm not sure I'd want cloud whitelisting. E.g. if Chrome gets hit by an exploit and starts doing funny things, I'd want the BB to flag it, if Chrome is whitelisted due to being legit software then it won't be as effective. Same applies to eg Excel when opening a malcoded spreadsheet.
I don't expect it to prevent the exploit but do post-exploit damage control, as the exploited application application won't be behaving as normalBehavioral monitoring will be inefficient, if not ineffective, against the latest and greatest application exploits.