Battle Behavioural Protection, which is better?

[RRlight]

In terms of protecting against unknown threats, IMO behaviour protection is more important than heuristic. So only consider this aspect, how are these working?

 

[Bot]

Behavioural protection works by monitoring the behaviour of applications and programs in real time. If it detects any suspicious activity or deviation from usual patterns, it triggers an alert or blocks the activity. On the other hand, heuristic analysis is more about detecting new, unknown threats by examining code and looking for patterns or characteristics that are typical of malware. Both have their strengths, but behavioural protection tends to be more effective at catching zero-day threats.

 

[Shadowra]

Kaspersky, Bitdefender

 

[Nikola Milanovic]

Xcitium VirusScope(Static and Dynamic Behaviour Analysis with machine learning)

 

[Jonny Quest]

Xcitium VirusScope(Static and Dynamic Behaviour Analysis with machine learning)

For a home user, as in the Compare list shown above?

 

[Nikola Milanovic]

For a home user, as in the Compare list shown above?

then Comodo VirusScope(Static and Dynamic Behaviour Analysis with machine learning)

 

[Jengo]

G DATA

 

[Captain Awesome]

Emsisoft

 

[Allego]

Out of those list, I'm only familiar with Kaspersky so I say System Watcher. But why not try them all out and see what works best on your system

 

[RRlight]

Out of those list, I'm only familiar with Kaspersky so I say System Watcher. But why not try them all out and see what works best on your system

Thanks. I indeed tested some of those. Avast, Kaspersky and F-Secure, with a small amount of samples, double-click if they are not instantly killed by file protection. But their performance is kinda hard to compare, at least for my small tests. For some samples, Kaspersky did well and for other samples avast did well.

Increasing the number of samples would be time-consuming. Besides, I'm also worried the samples could spread through the LAN formed by the virtual and host machine, and infect the host OS.

 

[rashmi]

In my opinion, Kaspersky's System Watcher is unmatched.

 

[KnownStormChaser]

In my opinion, hands down Kaspersky's system watcher. Unbeatable. Not far behind would be Bitdefender.

 

[RoboMan]

Kaspersky's System Watcher, followed by Norton's SONAR. Top notch!

 

[RRlight]

then Comodo VirusScope(Static and Dynamic Behaviour Analysis with machine learning)

Thank you for the reply.

But I tried Comodo 2025 frankly speaking, with default setting, which is closer to common home users. 1st VM I installed its firewall component with F-Secure. So it does have HIPS and VirusScope. But for the new samples I tried to execute, only containment, firewall and HIPS are triggered, didn’t see VirusScope pop up. And even HIPS not quite much F-Secure’s Deep Guard is triggered several times. The 2nd VM is purely CIS 2025. Out of 40 samples the VirusScope is triggered only 4 times, scan detects only 1. So it's 5/40 in total. Compared to Kaspersky with File Protection turned off and without internet, Kaspersky intercepts and kills more than half of the samples., while with internet, more than 30. Although I must say Comodo's containment/sandbox is another viable way for unknown threats surely, with years of history.

 

[Trident]

CyberCapture is not behavioural protection, it is cloud detonation (lightweight one).
Kaspersky System Watcher and Bitdefender are top, followed by Norton Sonar and Avast/AVG IDP.
McAfee Real Protect would be just below these two, on par with F-Secure DeepGuard.

As to behaviour vs heuristic, behavioural analysis is also based on rules called heuristics. One is pre-execution, the other one is post-execution.

Pre-execution analysis blocks threats before they strike but is limited from the point of view that the analysis must be instant with very little resources.
This makes it more prone to evasion compared to post-execution analysis.

Behavioural protection observes the true nature of the file and is less prone to evasion, but is limited from the point of view that stuff is already happening and by the time detection occurs, irreversible damage may already have been done.

This is why pre-execution and post-execution are combined together and none of them is more important than the other but the earlier an attack is blocked, the better. Post-execution protections are hence a last line of defence when everything else has failed.

 

[omidomi]

If you ask me....
honestly I said there is no Evidence for compare(clearly) between these softwares
software x may be detected threats 1 better....software y ....
so so....

 

[rashmi]

But I tried Comodo 2025 frankly speaking, with default setting, which is closer to common home users. 1st VM I installed its firewall component with F-Secure. So it does have HIPS and VirusScope. But for the new samples I tried to execute, only containment, firewall and HIPS are triggered, didn’t see VirusScope pop up. And even HIPS not quite much F-Secure’s Deep Guard is triggered several times. The 2nd VM is purely CIS 2025. Out of 40 samples the VirusScope is triggered only 4 times, scan detects only 1. So it's 5/40 in total. Compared to Kaspersky with File Protection turned off and without internet, Kaspersky intercepts and kills more than half of the samples., while with internet, more than 30. Although I must say Comodo's containment/sandbox is another viable way for unknown threats surely, with years of history.

Comodo's detection technologies have always been average at best. Whitelisting and containment are Comodo's major strengths. If you prioritize prevention over detection, Comodo is worth considering because of its default-deny approach.

 

[Nikola Milanovic]

Thank you for the reply.

But I tried Comodo 2025 frankly speaking, with default setting, which is closer to common home users. 1st VM I installed its firewall component with F-Secure. So it does have HIPS and VirusScope. But for the new samples I tried to execute, only containment, firewall and HIPS are triggered, didn’t see VirusScope pop up. And even HIPS not quite much F-Secure’s Deep Guard is triggered several times. The 2nd VM is purely CIS 2025. Out of 40 samples the VirusScope is triggered only 4 times, scan detects only 1. So it's 5/40 in total. Compared to Kaspersky with File Protection turned off and without internet, Kaspersky intercepts and kills more than half of the samples., while with internet, more than 30. Although I must say Comodo's containment/sandbox is another viable way for unknown threats surely, with years of history.

Comodo VirusScope is really good Shadowra tested it and also i test it everyday its really good

 

[Nikola Milanovic]

Thank you for the reply.

But I tried Comodo 2025 frankly speaking, with default setting, which is closer to common home users. 1st VM I installed its firewall component with F-Secure. So it does have HIPS and VirusScope. But for the new samples I tried to execute, only containment, firewall and HIPS are triggered, didn’t see VirusScope pop up. And even HIPS not quite much F-Secure’s Deep Guard is triggered several times. The 2nd VM is purely CIS 2025. Out of 40 samples the VirusScope is triggered only 4 times, scan detects only 1. So it's 5/40 in total. Compared to Kaspersky with File Protection turned off and without internet, Kaspersky intercepts and kills more than half of the samples., while with internet, more than 30. Although I must say Comodo's containment/sandbox is another viable way for unknown threats surely, with years of history.

Also Xcitium/Comodo has a cloud based file analysis system that has Static and Dynamic Analysis Cloud Verdict Customer Login | Xcitium Cloud Verdict
VirusScope is Static and Dynamic Analysis
Dynamic Analysis:
Static Analysis:

 

[ErzCrz]

Emsisoft I felt was good at behaviour detection though by that point, the malware would already be running. I prefer the default deny approach of CyberLock, Comodo's containment or @Andy Ful 's hardening tools where files are denied by default and analyzed/cloud checked.