Battle Behavioural Protection, which is better?

RRlight · Jun 8, 2024

Trident said:
CyberCapture is not behavioural protection, it is cloud detonation (lightweight one).
Kaspersky System Watcher and Bitdefender are top, followed by Norton Sonar and Avast/AVG IDP.
McAfee Real Protect would be just below these two, on par with F-Secure DeepGuard.

As to behaviour vs heuristic, behavioural analysis is also based on rules called heuristics. One is pre-execution, the other one is post-execution.

Pre-execution analysis blocks threats before they strike but is limited from the point of view that the analysis must be instant with very little resources.
This makes it more prone to evasion compared to post-execution analysis.

Behavioural protection observes the true nature of the file and is less prone to evasion, but is limited from the point of view that stuff is already happening and by the time detection occurs, irreversible damage may already have been done.

This is why pre-execution and post-execution are combined together and none of them is more important than the other but the earlier an attack is blocked, the better. Post-execution protections are hence a last line of defence when everything else has failed.

Many thanks for this reply.

Andy Ful · Jun 8, 2024

Modern AVs use behavior-based detections based on the pre-execution, on-execution, and post-execution information. The Real-World tests suggest that Avast/AVG, Bitdefender, F-Secure, Kaspersky, Microsoft Defender for Endpoint, Norton, and TrendMicro use top behavioral technology.
When using Microsoft Defender free, one can get most of the behavioral protection of the paid version after applying advanced settings via PowerShell, or 3rd party tools.

[correlate] · Jun 8, 2024

Andy Ful said:
When using Microsoft Defender free, one can get most of the behavioral protection of the paid version after applying advanced settings via PowerShell, or 3rd party tools.

Can you provide steps to achieve this, Mr. Andy? Thank you

Andy Ful · Jun 8, 2024

[correlate] said:
Can you provide steps to achieve this, Mr. Andy? Thank you

The PowerShell CmdLines can be found here:

Microsoft Defender for Endpoint attack surface reduction rules demonstrations - Microsoft Defender for Endpoint

See how attack surface reduction rules block various known threat types.

learn.microsoft.com

The 3rd party tools are well known on MT.

lokamoka820 · Jun 8, 2024

Behavior protection focuses on monitoring system behavior, while heuristic involves analyzing code patterns and behavior, so behavior protection is effective against known and unknown threats, while heuristic is effective against new or not-yet-known malware.

Andy Ful · Jun 9, 2024

There is no well-accepted meaning of behavioral (or behavior-based) protection among AV vendors. For example:

Behavior-based Protection | Kaspersky

Threat Behavior Engine with ML-based models can detect previously unknown malicious patterns at the earliest stages of execution, while memory protection and remediation engine prevent user data compromise and loss.

www.kaspersky.com

As can be seen from the picture, behavior-based protection in Kaspersky depends on behavior patterns and behavior heuristics (supported by Machine Learning models).
I think that nowadays, it would be hard to separate behavioral protection from heuristics.

cartaphilus · Jun 11, 2024

Trident said:
CyberCapture is not behavioural protection, it is cloud detonation (lightweight one).
Kaspersky System Watcher and Bitdefender are top, followed by Norton Sonar and Avast/AVG IDP.
McAfee Real Protect would be just below these two, on par with F-Secure DeepGuard.

As to behaviour vs heuristic, behavioural analysis is also based on rules called heuristics. One is pre-execution, the other one is post-execution.

Pre-execution analysis blocks threats before they strike but is limited from the point of view that the analysis must be instant with very little resources.
This makes it more prone to evasion compared to post-execution analysis.

Behavioural protection observes the true nature of the file and is less prone to evasion, but is limited from the point of view that stuff is already happening and by the time detection occurs, irreversible damage may already have been done.

This is why pre-execution and post-execution are combined together and none of them is more important than the other but the earlier an attack is blocked, the better. Post-execution protections are hence a last line of defence when everything else has failed.

Exactly right, that's why many of the "serious" behavior blocker / machine learning anti malware solutions will allow the software to run for a bit, while watching and recording each step an unknown piece of code takes and then if it contains indicators of compromise; the software is isolated. Hopefully, the analysis is quick and the number of steps the software took is minimal but in the end this is the future we have to live with.

JB007 · Jun 12, 2024

Trident said:
CyberCapture is not behavioural protection, it is cloud detonation (lightweight one).
Kaspersky System Watcher and Bitdefender are top, followed by Norton Sonar and Avast/AVG IDP.
McAfee Real Protect would be just below these two, on par with F-Secure DeepGuard.

As to behaviour vs heuristic, behavioural analysis is also based on rules called heuristics. One is pre-execution, the other one is post-execution.

Pre-execution analysis blocks threats before they strike but is limited from the point of view that the analysis must be instant with very little resources.
This makes it more prone to evasion compared to post-execution analysis.

Behavioural protection observes the true nature of the file and is less prone to evasion, but is limited from the point of view that stuff is already happening and by the time detection occurs, irreversible damage may already have been done.

This is why pre-execution and post-execution are combined together and none of them is more important than the other but the earlier an attack is blocked, the better. Post-execution protections are hence a last line of defence when everything else has failed.

Andy Ful said:
Modern AVs use behavior-based detections based on the pre-execution, on-execution, and post-execution information. The Real-World tests suggest that Avast/AVG, Bitdefender, F-Secure, Kaspersky, Microsoft Defender for Endpoint, Norton, and TrendMicro use top behavioral technology.
When using Microsoft Defender free, one can get most of the behavioral protection of the paid version after applying advanced settings via PowerShell, or 3rd party tools.

I'm wondering if Malwarebytes uses behavioural protection ?

Trident · Jun 12, 2024

JB007 said:
I'm wondering if Malwarebytes uses behavioural protection ?

Malwarebytes uses behavioural protection as a set of rules and policies (actions that are not allowed) in anti-exploit module. This is known as behavioural blocking (the correct term for it).
However, I am not aware of Malwarebytes using behavioural analysis which refers to monitoring software's flow (OS features called, modified settings, registry keys, files, folders, shortcuts created/deleted/modified, etc.), classifying and then remediating.

Vitali Ortzi · Oct 23, 2024

Trident said:
CyberCapture is not behavioural protection, it is cloud detonation (lightweight one).
Kaspersky System Watcher and Bitdefender are top, followed by Norton Sonar and Avast/AVG IDP.
McAfee Real Protect would be just below these two, on par with F-Secure DeepGuard.

As to behaviour vs heuristic, behavioural analysis is also based on rules called heuristics. One is pre-execution, the other one is post-execution.

Pre-execution analysis blocks threats before they strike but is limited from the point of view that the analysis must be instant with very little resources.
This makes it more prone to evasion compared to post-execution analysis.

Behavioural protection observes the true nature of the file and is less prone to evasion, but is limited from the point of view that stuff is already happening and by the time detection occurs, irreversible damage may already have been done.

This is why pre-execution and post-execution are combined together and none of them is more important than the other but the earlier an attack is blocked, the better. Post-execution protections are hence a last line of defence when everything else has failed.

How does liveguard compare to cyber capture of Norton?

Victor M · Oct 23, 2024

RRlight said:
'm also worried the samples could spread through the LAN formed by the virtual and host machine, and infect the host OS.

Then remove the NIC from the guest VM.

Andy Ful · Oct 23, 2024

Trident said:
CyberCapture is not behavioural protection, it is cloud detonation (lightweight one).

Maybe it is not strictly behavioral protection but includes behavioral protection.

CyberCapture is a feature in AVG Internet Security and AVG AntiVirus FREE that detects and analyzes rare, suspicious files. If you attempt to run such a file, CyberCapture locks the file from your PC and sends it to the AVG Threat Labs, where it is analyzed in a safe, virtual environment. You are notified when the analysis is complete.

Cybercapture is not just cloud detonation. It includes the most important features of behavioral protection:

Identifies the suspicious behaviors locally (behavior monitoring).
Can stop running the file when suspicious behaviors are detected.

Cloud detonation is used in CyberCapture to minimize false positives of behavioral components.

Nunzio_77 · Oct 28, 2024

So, which free antivirus has the best behavioral protection module?

Vitali Ortzi · Oct 28, 2024

Nunzio_77 said:
So, which free antivirus has the best behavioral protection module?

Probably Kaspersky as it has system watcher in the free av (I don't recommend it do to nagging of the free version plus the software is banned because of ties to the Russian government)

Second best will be avg, avast

harlan4096 · Oct 28, 2024

is banned because of ties to the Russian government

ONLY IN US

Nunzio_77 · Oct 28, 2024

Vitali Ortzi said:
Probabilmente Kaspersky poiché ha System Watcher nella versione gratuita (non lo consiglio perché lamenta la versione gratuita e inoltre il software è vietato a causa dei legami con il governo russo)

Il secondo migliore sarà avg, avast

Thanks

Nunzio_77 · Oct 28, 2024

So Avast/Avg behavioral analysis is better than Bitdefender too?

Vitali Ortzi · Oct 28, 2024

Nunzio_77 said:
So Avast/Avg behavioral analysis is better than Bitdefender too?

From my knowledge the free version of bitdefender doesn't have behavior analysis or at least didn't

Btw actually not sure why I didn't include it but Symantec should be number 2 instead
And cybercapture (avast,avg ) third

Unlimited Giveaway - Symantec Endpoint Unmanaged without time limit

System requirements : Want to run a free SPEM server to manage your family computers, PM me for a license file (.SLF) (works up to 10 years ).

malwaretips.com

Nunzio_77 · Oct 28, 2024

Well...as far as I know, the free version of Bitdefender has behavioral analysis.

lokamoka820 · Oct 28, 2024

Nunzio_77 said:
So Avast/Avg behavioral analysis is better than Bitdefender too?

I don't have a clear answer about which one is better, but I will always prefer Avast over Bitdefender because it is lighter and don't have problems as Bitdefender have.

Battle Behavioural Protection, which is better?

Level 1

From Hard_Configurator Tools

Level 18

From Hard_Configurator Tools

Level 22

From Hard_Configurator Tools

Level 10

Level 26

Level 34

Level 24

Level 12

From Hard_Configurator Tools

Level 2

Level 24

Super Moderator

Level 2

Level 2

Level 24

Level 2

Level 22

Similar threads