I am afraid that I do not know which of the 10 most popular AVs could have the best behavioral protection.
The main reason is that "behavioral protection" is not well defined.
Avast
Behavior Shield is an additional layer of Antivirus active protection. It monitors all processes on the device in real time for suspicious behavior that may indicate the presence of malicious code. Behavior Shield works by detecting and blocking suspicious files based on their similarity to other known threats, even if the files are not yet added to the virus definitions database.
Avira
Behavior-based detection:
Real-Time Monitoring + Anomaly Detection + Heuristic Analysis + Threat Intelligence Integration + Machine Learning and AI + Dynamic Analysis + User Feedback Loop
https://www.jamesparker.dev/aviras-behavior-based-detection-mechanisms/
Bitdefender
Behavior-based protection:
Internet Security stops emerging threats by analyzing the behavior of a given program or process in a virtual environment before it is executed. If it is deemed safe to run, Internet Security continues to analyze the process while it's running to identify likely threats that have not yet been reported.
Crowdstrike
Behavioral protection:
Relying solely on signature-based methods or indicators of compromise (IOCs) lead to the “silent failure” that allows data breaches to occur. Effective endpoint detection and response requires behavioral approaches that search for
indicators of attack (IOAs), so you are alerted of suspicious activities before a compromise can occur.
Eset
Behavioral Detection and Blocking - HIPS
ESET Host-based Intrusion Prevention System (HIPS) uses a predefined set of rules to look for suspicious activities and to monitor and scan behavioral events such as running processes, files and registry keys. When identified, HIPS reports the offending item and – if further analysis is necessary – requests deeper inspection using other ESET technology layers.
Deep Behavioral Inspection (DBI) is one of HIPS’ built-in modules that enables deeper and more granular user-mode monitoring of unknown and suspicious processes. DBI was introduced in 2019 and represents an effective antidote for evasion techniques known to be used by threat actors in the wild.
F-Secure
DeepGuard Protection
If the file scanning engines are unable identify a suspect f ile as either clean or a known threat, more sophisticated technology is brought into play. The suspect file now comes under the scrutiny of the DeepGuard module, which first checks with the security Cloud if there have been any previous reports about the file to indicate if it is safe or harmful. If there is no prior record, the module then begins monitoring the file’s behavior, at both the point of launch and while it is running. If at either point the file performs actions that appear to be harmful, or shows any characteristics of an exploit attempt, it is immediately blocked from continuing.
Kaspersky
The Behavior Detection component receives data on the actions of applications on your computer and provides this information to other protection components to improve their performance.
The Behavior Detection component utilizes Behavior Stream Signatures (BSS) for applications. BSS contain sequences of actions taken by applications that Kaspersky Endpoint Security classifies as dangerous. If application activity matches a behavior stream signature, Kaspersky Endpoint Security performs the selected responsive action. Kaspersky Endpoint Security functionality based on behavior stream signatures provides proactive defense for the computer.
Microsoft
Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Defender for Endpoint components and features work together in behavioral blocking and containment capabilities.
Norton:
Behavioral Protection identifies emerging threats based on the behavior of files. It detects malicious code before virus definitions are available through LiveUpdate and protects you from advanced threats.
Panda
Behavioral Blocking
Hackers sometimes use techniques that involve injecting malicious code into legitimate applications in order to secretly perform dangerous actions on your computer.
Thanks to its behavior blocker, your Panda product checks all actions performed by the applications installed on your computer, blocking all those that could be dangerous to ensure your security.
Behavioral Analysis
The behavioral analysis operates as a last line of defense against malware that manages to run on a system having evaded all other detection and scanning technologies.
This protection intercepts the operations performed by the applications installed on your computer, checking them before allowing the processes to run completely. This real-time check determines whether or not processes can be run based on their behavior.
Proofpoint
Supernova Behavioral Engine better detects email patterns that fall outside of the norm, improving detection of all threat types, from
business email compromise (BEC) to credential phishing and much more. It builds off the work we did with
Supernova as part of Advanced BEC Defense in 2021, incorporating signals and learnings from that engine.
Here are some of the signals Supernova Behavioral Engine will use to determine if a message is malicious (as the engine evolves, we’ll add more signals):
- Unknown sender, i.e. someone who has never communicated with you before
- Uncommon language or sentiment, such as discussing a financial transaction for the first time)
- Uncommon URL or subdomain
- Unusual SaaS (software-as-a-service) tenant, which is often a sign of supplier account compromise
- Unusual SMTP infrastructure, which is likewise indicative of possible account compromise
Sophos
Malicious behavior detection is the dynamic analysis of all programs running on the computer to detect and block activity that is known to be malicious.
Trend Micro
Malware Behavior Blocking
