Battle Behavioural Protection, which is better?

Compare list
Advanced Threat Defense - Bitdefender
CyberCapture - Avast/AVG
Deep Guard - F-secure
McAfee
Sonar - Norton
System Watcher - Kaspersky

Others, free to nominate
Platform(s)
  1. Microsoft Windows
  2. Windows on Arm (Qualcomm)
  3. Apple Mac (M1 and newer)

RRlight

Level 2
Thread author
May 11, 2024
64
CyberCapture is not behavioural protection, it is cloud detonation (lightweight one).
Kaspersky System Watcher and Bitdefender are top, followed by Norton Sonar and Avast/AVG IDP.
McAfee Real Protect would be just below these two, on par with F-Secure DeepGuard.

As to behaviour vs heuristic, behavioural analysis is also based on rules called heuristics. One is pre-execution, the other one is post-execution.

Pre-execution analysis blocks threats before they strike but is limited from the point of view that the analysis must be instant with very little resources.
This makes it more prone to evasion compared to post-execution analysis.

Behavioural protection observes the true nature of the file and is less prone to evasion, but is limited from the point of view that stuff is already happening and by the time detection occurs, irreversible damage may already have been done.

This is why pre-execution and post-execution are combined together and none of them is more important than the other but the earlier an attack is blocked, the better. Post-execution protections are hence a last line of defence when everything else has failed.
Many thanks for this reply.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Modern AVs use behavior-based detections based on the pre-execution, on-execution, and post-execution information. The Real-World tests suggest that Avast/AVG, Bitdefender, F-Secure, Kaspersky, Microsoft Defender for Endpoint, Norton, and TrendMicro use top behavioral technology.
When using Microsoft Defender free, one can get most of the behavioral protection of the paid version after applying advanced settings via PowerShell, or 3rd party tools.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
There is no well-accepted meaning of behavioral (or behavior-based) protection among AV vendors. For example:

1717930352721.png


As can be seen from the picture, behavior-based protection in Kaspersky depends on behavior patterns and behavior heuristics (supported by Machine Learning models).
I think that nowadays, it would be hard to separate behavioral protection from heuristics.
 

cartaphilus

Level 11
Verified
Top Poster
Well-known
Mar 17, 2023
536
CyberCapture is not behavioural protection, it is cloud detonation (lightweight one).
Kaspersky System Watcher and Bitdefender are top, followed by Norton Sonar and Avast/AVG IDP.
McAfee Real Protect would be just below these two, on par with F-Secure DeepGuard.

As to behaviour vs heuristic, behavioural analysis is also based on rules called heuristics. One is pre-execution, the other one is post-execution.

Pre-execution analysis blocks threats before they strike but is limited from the point of view that the analysis must be instant with very little resources.
This makes it more prone to evasion compared to post-execution analysis.

Behavioural protection observes the true nature of the file and is less prone to evasion, but is limited from the point of view that stuff is already happening and by the time detection occurs, irreversible damage may already have been done.

This is why pre-execution and post-execution are combined together and none of them is more important than the other but the earlier an attack is blocked, the better. Post-execution protections are hence a last line of defence when everything else has failed.
Exactly right, that's why many of the "serious" behavior blocker / machine learning anti malware solutions will allow the software to run for a bit, while watching and recording each step an unknown piece of code takes and then if it contains indicators of compromise; the software is isolated. Hopefully, the analysis is quick and the number of steps the software took is minimal but in the end this is the future we have to live with.
 

JB007

Level 26
Verified
Top Poster
Well-known
May 19, 2016
1,580
CyberCapture is not behavioural protection, it is cloud detonation (lightweight one).
Kaspersky System Watcher and Bitdefender are top, followed by Norton Sonar and Avast/AVG IDP.
McAfee Real Protect would be just below these two, on par with F-Secure DeepGuard.

As to behaviour vs heuristic, behavioural analysis is also based on rules called heuristics. One is pre-execution, the other one is post-execution.

Pre-execution analysis blocks threats before they strike but is limited from the point of view that the analysis must be instant with very little resources.
This makes it more prone to evasion compared to post-execution analysis.

Behavioural protection observes the true nature of the file and is less prone to evasion, but is limited from the point of view that stuff is already happening and by the time detection occurs, irreversible damage may already have been done.

This is why pre-execution and post-execution are combined together and none of them is more important than the other but the earlier an attack is blocked, the better. Post-execution protections are hence a last line of defence when everything else has failed.

Modern AVs use behavior-based detections based on the pre-execution, on-execution, and post-execution information. The Real-World tests suggest that Avast/AVG, Bitdefender, F-Secure, Kaspersky, Microsoft Defender for Endpoint, Norton, and TrendMicro use top behavioral technology.
When using Microsoft Defender free, one can get most of the behavioral protection of the paid version after applying advanced settings via PowerShell, or 3rd party tools.

I'm wondering if Malwarebytes uses behavioural protection ? :unsure:
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
I'm wondering if Malwarebytes uses behavioural protection ? :unsure:
Malwarebytes uses behavioural protection as a set of rules and policies (actions that are not allowed) in anti-exploit module. This is known as behavioural blocking (the correct term for it).
However, I am not aware of Malwarebytes using behavioural analysis which refers to monitoring software's flow (OS features called, modified settings, registry keys, files, folders, shortcuts created/deleted/modified, etc.), classifying and then remediating.
 

Vitali Ortzi

Level 26
Verified
Top Poster
Well-known
Dec 12, 2016
1,580
CyberCapture is not behavioural protection, it is cloud detonation (lightweight one).
Kaspersky System Watcher and Bitdefender are top, followed by Norton Sonar and Avast/AVG IDP.
McAfee Real Protect would be just below these two, on par with F-Secure DeepGuard.

As to behaviour vs heuristic, behavioural analysis is also based on rules called heuristics. One is pre-execution, the other one is post-execution.

Pre-execution analysis blocks threats before they strike but is limited from the point of view that the analysis must be instant with very little resources.
This makes it more prone to evasion compared to post-execution analysis.

Behavioural protection observes the true nature of the file and is less prone to evasion, but is limited from the point of view that stuff is already happening and by the time detection occurs, irreversible damage may already have been done.

This is why pre-execution and post-execution are combined together and none of them is more important than the other but the earlier an attack is blocked, the better. Post-execution protections are hence a last line of defence when everything else has failed.
How does liveguard compare to cyber capture of Norton?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
CyberCapture is not behavioural protection, it is cloud detonation (lightweight one).

Maybe it is not strictly behavioral protection but includes behavioral protection.
CyberCapture is a feature in AVG Internet Security and AVG AntiVirus FREE that detects and analyzes rare, suspicious files. If you attempt to run such a file, CyberCapture locks the file from your PC and sends it to the AVG Threat Labs, where it is analyzed in a safe, virtual environment. You are notified when the analysis is complete.

Cybercapture is not just cloud detonation. It includes the most important features of behavioral protection:
  1. Identifies the suspicious behaviors locally (behavior monitoring).
  2. Can stop running the file when suspicious behaviors are detected.
Cloud detonation is used in CyberCapture to minimize false positives of behavioral components.
 

Vitali Ortzi

Level 26
Verified
Top Poster
Well-known
Dec 12, 2016
1,580
So Avast/Avg behavioral analysis is better than Bitdefender too?
From my knowledge the free version of bitdefender doesn't have behavior analysis or at least didn't

Btw actually not sure why I didn't include it but Symantec should be number 2 instead
And cybercapture (avast,avg ) third
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top