Battle Behavioural Protection, which is better?

Compare list
Advanced Threat Defense - Bitdefender
CyberCapture - Avast/AVG
Deep Guard - F-secure
McAfee
Sonar - Norton
System Watcher - Kaspersky

Others, free to nominate
Platform(s)
  1. Microsoft Windows
  2. Windows on Arm (Qualcomm)
  3. Apple Mac (M1 and newer)
RRlight

RRlight

Level 1
Thread author
May 11, 2024
30
Trident said:
CyberCapture is not behavioural protection, it is cloud detonation (lightweight one).
Kaspersky System Watcher and Bitdefender are top, followed by Norton Sonar and Avast/AVG IDP.
McAfee Real Protect would be just below these two, on par with F-Secure DeepGuard.

As to behaviour vs heuristic, behavioural analysis is also based on rules called heuristics. One is pre-execution, the other one is post-execution.

Pre-execution analysis blocks threats before they strike but is limited from the point of view that the analysis must be instant with very little resources.
This makes it more prone to evasion compared to post-execution analysis.

Behavioural protection observes the true nature of the file and is less prone to evasion, but is limited from the point of view that stuff is already happening and by the time detection occurs, irreversible damage may already have been done.

This is why pre-execution and post-execution are combined together and none of them is more important than the other but the earlier an attack is blocked, the better. Post-execution protections are hence a last line of defence when everything else has failed.
Click to expand...
Many thanks for this reply.
 
  • Like
Reactions: JB007, Trident, [correlate] and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,222
Modern AVs use behavior-based detections based on the pre-execution, on-execution, and post-execution information. The Real-World tests suggest that Avast/AVG, Bitdefender, F-Secure, Kaspersky, Microsoft Defender for Endpoint, Norton, and TrendMicro use top behavioral technology.
When using Microsoft Defender free, one can get most of the behavioral protection of the paid version after applying advanced settings via PowerShell, or 3rd party tools.
 
  • Like
  • +Reputation
Reactions: JB007, vtqhtr413, Behold Eck and 7 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,222
  • Like
  • HaHa
  • +Reputation
Reactions: JB007, vtqhtr413, simmerskool and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,222
There is no well-accepted meaning of behavioral (or behavior-based) protection among AV vendors. For example:

Behavior-based Protection | Kaspersky

Threat Behavior Engine with ML-based models can detect previously unknown malicious patterns at the earliest stages of execution, while memory protection and remediation engine prevent user data compromise and loss.
www.kaspersky.com

1717930352721.png


As can be seen from the picture, behavior-based protection in Kaspersky depends on behavior patterns and behavior heuristics (supported by Machine Learning models).
I think that nowadays, it would be hard to separate behavioral protection from heuristics.
 
  • Like
  • +Reputation
  • Hundred Points
Reactions: brambedkar59, Azure, JB007 and 9 others
cartaphilus

cartaphilus

Level 5
Verified
Well-known
Mar 17, 2023
228
Trident said:
CyberCapture is not behavioural protection, it is cloud detonation (lightweight one).
Kaspersky System Watcher and Bitdefender are top, followed by Norton Sonar and Avast/AVG IDP.
McAfee Real Protect would be just below these two, on par with F-Secure DeepGuard.

As to behaviour vs heuristic, behavioural analysis is also based on rules called heuristics. One is pre-execution, the other one is post-execution.

Pre-execution analysis blocks threats before they strike but is limited from the point of view that the analysis must be instant with very little resources.
This makes it more prone to evasion compared to post-execution analysis.

Behavioural protection observes the true nature of the file and is less prone to evasion, but is limited from the point of view that stuff is already happening and by the time detection occurs, irreversible damage may already have been done.

This is why pre-execution and post-execution are combined together and none of them is more important than the other but the earlier an attack is blocked, the better. Post-execution protections are hence a last line of defence when everything else has failed.
Click to expand...
Exactly right, that's why many of the "serious" behavior blocker / machine learning anti malware solutions will allow the software to run for a bit, while watching and recording each step an unknown piece of code takes and then if it contains indicators of compromise; the software is isolated. Hopefully, the analysis is quick and the number of steps the software took is minimal but in the end this is the future we have to live with.
 
  • Like
Reactions: JB007 and simmerskool
JB007

JB007

Level 26
Verified
Top Poster
Well-known
May 19, 2016
1,575
Trident said:
CyberCapture is not behavioural protection, it is cloud detonation (lightweight one).
Kaspersky System Watcher and Bitdefender are top, followed by Norton Sonar and Avast/AVG IDP.
McAfee Real Protect would be just below these two, on par with F-Secure DeepGuard.

As to behaviour vs heuristic, behavioural analysis is also based on rules called heuristics. One is pre-execution, the other one is post-execution.

Pre-execution analysis blocks threats before they strike but is limited from the point of view that the analysis must be instant with very little resources.
This makes it more prone to evasion compared to post-execution analysis.

Behavioural protection observes the true nature of the file and is less prone to evasion, but is limited from the point of view that stuff is already happening and by the time detection occurs, irreversible damage may already have been done.

This is why pre-execution and post-execution are combined together and none of them is more important than the other but the earlier an attack is blocked, the better. Post-execution protections are hence a last line of defence when everything else has failed.
Click to expand...

Andy Ful said:
Modern AVs use behavior-based detections based on the pre-execution, on-execution, and post-execution information. The Real-World tests suggest that Avast/AVG, Bitdefender, F-Secure, Kaspersky, Microsoft Defender for Endpoint, Norton, and TrendMicro use top behavioral technology.
When using Microsoft Defender free, one can get most of the behavioral protection of the paid version after applying advanced settings via PowerShell, or 3rd party tools.
Click to expand...

I'm wondering if Malwarebytes uses behavioural protection ? :unsure:
 
  • Like
  • Hundred Points
Reactions: simmerskool, silversurfer and Trident
Trident

Trident

Level 29
Verified
Top Poster
Well-known
Feb 7, 2023
1,809
JB007 said:
I'm wondering if Malwarebytes uses behavioural protection ? :unsure:
Click to expand...
Malwarebytes uses behavioural protection as a set of rules and policies (actions that are not allowed) in anti-exploit module. This is known as behavioural blocking (the correct term for it).
However, I am not aware of Malwarebytes using behavioural analysis which refers to monitoring software's flow (OS features called, modified settings, registry keys, files, folders, shortcuts created/deleted/modified, etc.), classifying and then remediating.
 
  • +Reputation
  • Thanks
  • Like
Reactions: simmerskool, JB007, ErzCrz and 1 other person

Similar threads

Shadowra
    • Like
    • +Reputation
    • Applause
App Review McAfee Total Protection 2024
Replies
8
Views
1,750
Video Reviews - Security and Privacy
nickstar1
nickstar1
Adrian Ścibor
    • Like
    • +Reputation
    • Applause
AVLab.pl Protection effectiveness of EDR solutions against Internet threats
Replies
10
Views
787
Security Statistics and Reports
Moonhorse
Moonhorse
Shadowra
    • Like
    • +Reputation
    • Applause
App Review Sophos Endpoint 2024
Replies
4
Views
654
Video Reviews - Security and Privacy
oldschool
oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top