Battle Behavioural Protection, which is better?

Compare list
Advanced Threat Defense - Bitdefender
CyberCapture - Avast/AVG
Deep Guard - F-secure
McAfee
Sonar - Norton
System Watcher - Kaspersky

Others, free to nominate
Platform(s)
  1. Microsoft Windows
  2. Windows on Arm (Qualcomm)
  3. Apple Mac (M1 and newer)

Bot

AI-powered Bot
Apr 21, 2016
4,477
Behavioural protection works by monitoring the behaviour of applications and programs in real time. If it detects any suspicious activity or deviation from usual patterns, it triggers an alert or blocks the activity. On the other hand, heuristic analysis is more about detecting new, unknown threats by examining code and looking for patterns or characteristics that are typical of malware. Both have their strengths, but behavioural protection tends to be more effective at catching zero-day threats.
 

RRlight

Level 2
Thread author
May 11, 2024
64
Out of those list, I'm only familiar with Kaspersky so I say System Watcher. But why not try them all out and see what works best on your system
Thanks. I indeed tested some of those. Avast, Kaspersky and F-Secure, with a small amount of samples, double-click if they are not instantly killed by file protection. But their performance is kinda hard to compare, at least for my small tests. For some samples, Kaspersky did well and for other samples avast did well.

Increasing the number of samples would be time-consuming. Besides, I'm also worried the samples could spread through the LAN formed by the virtual and host machine, and infect the host OS.
 

RRlight

Level 2
Thread author
May 11, 2024
64
then Comodo VirusScope(Static and Dynamic Behaviour Analysis with machine learning)
Thank you for the reply.

But I tried Comodo 2025 frankly speaking, with default setting, which is closer to common home users. 1st VM I installed its firewall component with F-Secure. So it does have HIPS and VirusScope. But for the new samples I tried to execute, only containment, firewall and HIPS are triggered, didn’t see VirusScope pop up. And even HIPS not quite much F-Secure’s Deep Guard is triggered several times. The 2nd VM is purely CIS 2025. Out of 40 samples the VirusScope is triggered only 4 times, scan detects only 1. So it's 5/40 in total. Compared to Kaspersky with File Protection turned off and without internet, Kaspersky intercepts and kills more than half of the samples., while with internet, more than 30. Although I must say Comodo's containment/sandbox is another viable way for unknown threats surely, with years of history.
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
CyberCapture is not behavioural protection, it is cloud detonation (lightweight one).
Kaspersky System Watcher and Bitdefender are top, followed by Norton Sonar and Avast/AVG IDP.
McAfee Real Protect would be just below these two, on par with F-Secure DeepGuard.

As to behaviour vs heuristic, behavioural analysis is also based on rules called heuristics. One is pre-execution, the other one is post-execution.

Pre-execution analysis blocks threats before they strike but is limited from the point of view that the analysis must be instant with very little resources.
This makes it more prone to evasion compared to post-execution analysis.

Behavioural protection observes the true nature of the file and is less prone to evasion, but is limited from the point of view that stuff is already happening and by the time detection occurs, irreversible damage may already have been done.

This is why pre-execution and post-execution are combined together and none of them is more important than the other but the earlier an attack is blocked, the better. Post-execution protections are hence a last line of defence when everything else has failed.
 
Last edited:

rashmi

Level 12
Jan 15, 2024
562
But I tried Comodo 2025 frankly speaking, with default setting, which is closer to common home users. 1st VM I installed its firewall component with F-Secure. So it does have HIPS and VirusScope. But for the new samples I tried to execute, only containment, firewall and HIPS are triggered, didn’t see VirusScope pop up. And even HIPS not quite much F-Secure’s Deep Guard is triggered several times. The 2nd VM is purely CIS 2025. Out of 40 samples the VirusScope is triggered only 4 times, scan detects only 1. So it's 5/40 in total. Compared to Kaspersky with File Protection turned off and without internet, Kaspersky intercepts and kills more than half of the samples., while with internet, more than 30. Although I must say Comodo's containment/sandbox is another viable way for unknown threats surely, with years of history.
Comodo's detection technologies have always been average at best. Whitelisting and containment are Comodo's major strengths. If you prioritize prevention over detection, Comodo is worth considering because of its default-deny approach.
 
Oct 17, 2023
105
Thank you for the reply.

But I tried Comodo 2025 frankly speaking, with default setting, which is closer to common home users. 1st VM I installed its firewall component with F-Secure. So it does have HIPS and VirusScope. But for the new samples I tried to execute, only containment, firewall and HIPS are triggered, didn’t see VirusScope pop up. And even HIPS not quite much F-Secure’s Deep Guard is triggered several times. The 2nd VM is purely CIS 2025. Out of 40 samples the VirusScope is triggered only 4 times, scan detects only 1. So it's 5/40 in total. Compared to Kaspersky with File Protection turned off and without internet, Kaspersky intercepts and kills more than half of the samples., while with internet, more than 30. Although I must say Comodo's containment/sandbox is another viable way for unknown threats surely, with years of history.
Comodo VirusScope is really good Shadowra tested it and also i test it everyday its really good
 
Oct 17, 2023
105
Thank you for the reply.

But I tried Comodo 2025 frankly speaking, with default setting, which is closer to common home users. 1st VM I installed its firewall component with F-Secure. So it does have HIPS and VirusScope. But for the new samples I tried to execute, only containment, firewall and HIPS are triggered, didn’t see VirusScope pop up. And even HIPS not quite much F-Secure’s Deep Guard is triggered several times. The 2nd VM is purely CIS 2025. Out of 40 samples the VirusScope is triggered only 4 times, scan detects only 1. So it's 5/40 in total. Compared to Kaspersky with File Protection turned off and without internet, Kaspersky intercepts and kills more than half of the samples., while with internet, more than 30. Although I must say Comodo's containment/sandbox is another viable way for unknown threats surely, with years of history.
Also Xcitium/Comodo has a cloud based file analysis system that has Static and Dynamic Analysis Cloud Verdict Customer Login | Xcitium Cloud Verdict
VirusScope is Static and Dynamic Analysis
Dynamic Analysis:
Static Analysis:
1717844541475.png
1717844484526.png
 
Last edited:

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,217
Emsisoft I felt was good at behaviour detection though by that point, the malware would already be running. I prefer the default deny approach of CyberLock, Comodo's containment or @Andy Ful 's hardening tools where files are denied by default and analyzed/cloud checked.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top