Serious Discussion Best AVs and Worst AVs in Behavioral Health

[IceMan7]

AV test labs perform primarily a marketing function.

I agree with that. I've already written that a few times An AV manufacturer that has a brand built on the market will not risk participating in a test where you can be compromised. Marketing-wise, because it cost him a lot.

We talked in this thread about protection which mainly depends on the results of Real-World tests (tests with many 0-day samples).
Eset took only a Bronze Award in Real-World tests, and Avast took the Gold Award.

Ok. But if you look at the table, Eset has the maximum number of stars in all tests.

https://www.av-comparatives.org/wp-content/uploads/2024/12/avc_sum_2024_levels-600x248.png

Besides, the tests were not every month. And what's more - the tests ended before Eset v18. And despite numerous critical remarks about Eset v17 regarding Real-World Protection (that it is weak), it still won the bronze medal. And Kasperky, which is considered by many to be number 1 in this field, does not have any medal. The same Avast/AVG clone called Norton does not appear in the main awards. Surprisingly, with its poorly rated cloud (Sentra), Avira also has a gold medal in Real-World Protection

Summary Report 2024

Read the Consumer Summary Report 2024 to learn more about the various AV products tested over the year and the high-scoring products in these tests.

www.av-comparatives.org

To end this thread, for years this trio has always been mentioned as the best - Kaspersky, Bitdefender and Eset

I do not know Adrian personally. I do not participate in the forum. I have simply known the AvLab portal for many years. I know when this portal was still in its infancy. I know it before Adrian started playing with tests

 

[Andy Ful]

Ok. But if you look at the table, Eset has the maximum number of stars in all tests.

That is why it was awarded as a product of the year. This also suggests that the differences in protection between Bronze and Gold awards are not especially important.
So, about 10 popular AVs can provide similar protection. In this way, we have circled back to my first post in this thread where I said "I am afraid that I do not know which of the 10 most popular AVs could have the best behavioral protection."
It is time to rest a little.

 

[IceMan7]

In this way, we have circled back to my first post in this thread where I said "I am afraid that I do not know which of the 10 most popular AVs could have the best behavioral protection."

I'll help you Eset v18. My favorite for today

 

[Andy Ful]

I'll help you Eset v18. My favorite for today

Good choice.
Thanks for trying to help me.

 

[Jonny Quest]

F-Secure will not say what the new "Behavioral Detection" is. They will state no more than what is in the change logs.

They don't say or explain a lot of things over there on the forum

 

[Andy Ful]

I am still puzzled by how Avira and McAfee have greatly improved in the last 2 years. Did they add something new?

 

[cartaphilus]

Because one can easily totally replace itself within your system while you use it without even letting you know or show any indication while the other can barely catch a cold.

Kaspersky: banned by governments. Dr.Web is also Russian, but isn't banned; what's going on here? But the free version probably would cover yo

 

[cartaphilus]

I am still puzzled by how Avira and McAfee have greatly improved in the last 2 years. Did they add something new?

Yeah McAfee merged with Fireeye to become Trellix combined with their CEO's no longer looking over their shoulder for McAfee

 

[Andy Ful]

And he was critical to avast a few times ...

Yes, I posted about some weaknesses in the Avast protection:

1. Avast's CyberCapture can be skirted around via DLL hijacking.
2. Avast (and some other AVs) do not care about UAC bypasses as much as Microsoft Defender.
3. In older versions of Avast, CyberCapture worked only for files with MOTW.

For example:

App Review - Avast's challenge.

malwaretips.com

About 15 years ago, I installed Avast on my wife's computer, but she managed to bypass manually the Hardened Mode to install an application bundled with adware (she is a skilled IT professional but not security-oriented). For the last 10 years, I have used mainly Windows built-in protection. I sometimes install popular AVs (including Avast) on my personal computer. I use them during the trial period to see how they currently work and seek possible incompatibilities with my applications.

 

[Andy Ful]

It would be good to agree on MT on the meaning of Unknown and FUD malware. Both malware types are strictly related to this thread.

My propositions:
Unknown malware (Never-before-seen) - the malware that is undetected by AV signatures.
Unknown malware can be created by slightly changing the file content, packing/encrypting the known malware sample, code obfuscation, replacing/modifying functions and attack vectors, applying new exploits, using new compilers or scripting engines, etc.

FUD (Fully UnDetectable) malware - the Unknown variant of known malware created by hiding the content of known malware via packing/encrypting or obfuscating.
The Scantime FUD prevents static detection. The Runtime FUD prevents dynamic detection (uses fileless methods to run the known malware from memory).


Another problem is with 0-day malware. It is used on MT in two different meanings :

1. Malware that uses a 0-day exploit.
   

   What is Zero Day Malware? - Check Point Software

   Here we demonstrate why understanding your organization’s current security posture is essential for preventing zero day malware attacks.

   www.checkpoint.com
2. Never-before-seen malware.
   

   CrowdStrike Automates Zero-Day Malware Classification | CrowdStrike

   CrowdStrike researchers utilize ML to automate zero-day malware classification for more effective threat mitigation. Learn more!

   www.crowdstrike.com

Finally the note on "Behavioral Protection."
My proposition: Protection that uses behavior monitoring (may additionally use other methods) to detect/block threats in real time.
For example, the real-time detonation in the cloud sandbox is part of "Behavioral Protection", but detection via only static analysis is not.
This definition requires malware execution (locally or in the cloud) and monitoring of the malware actions. So it is not the same as behavior-based detection (malware can often be detected by analyzing behaviors included in the file metadata without file execution).