Serious Discussion Best AVs and Worst AVs in Behavioral Health

[IceMan7]

AV test labs perform primarily a marketing function.

I agree with that. I've already written that a few times An AV manufacturer that has a brand built on the market will not risk participating in a test where you can be compromised. Marketing-wise, because it cost him a lot.

We talked in this thread about protection which mainly depends on the results of Real-World tests (tests with many 0-day samples).
Eset took only a Bronze Award in Real-World tests, and Avast took the Gold Award.

Ok. But if you look at the table, Eset has the maximum number of stars in all tests.

https://www.av-comparatives.org/wp-content/uploads/2024/12/avc_sum_2024_levels-600x248.png

Besides, the tests were not every month. And what's more - the tests ended before Eset v18. And despite numerous critical remarks about Eset v17 regarding Real-World Protection (that it is weak), it still won the bronze medal. And Kasperky, which is considered by many to be number 1 in this field, does not have any medal. The same Avast/AVG clone called Norton does not appear in the main awards. Surprisingly, with its poorly rated cloud (Sentra), Avira also has a gold medal in Real-World Protection

Summary Report 2024

Read the Consumer Summary Report 2024 to learn more about the various AV products tested over the year and the high-scoring products in these tests.

www.av-comparatives.org

To end this thread, for years this trio has always been mentioned as the best - Kaspersky, Bitdefender and Eset

I do not know Adrian personally. I do not participate in the forum. I have simply known the AvLab portal for many years. I know when this portal was still in its infancy. I know it before Adrian started playing with tests

 

[Andy Ful]

Ok. But if you look at the table, Eset has the maximum number of stars in all tests.

That is why it was awarded as a product of the year. This also suggests that the differences in protection between Bronze and Gold awards are not especially important.
So, about 10 popular AVs can provide similar protection. In this way, we have circled back to my first post in this thread where I said "I am afraid that I do not know which of the 10 most popular AVs could have the best behavioral protection."
It is time to rest a little.

 

[IceMan7]

In this way, we have circled back to my first post in this thread where I said "I am afraid that I do not know which of the 10 most popular AVs could have the best behavioral protection."

I'll help you Eset v18. My favorite for today

 

[Andy Ful]

I'll help you Eset v18. My favorite for today

Good choice.
Thanks for trying to help me.

 

[Jonny Quest]

F-Secure will not say what the new "Behavioral Detection" is. They will state no more than what is in the change logs.

They don't say or explain a lot of things over there on the forum

 

[Andy Ful]

I am still puzzled by how Avira and McAfee have greatly improved in the last 2 years. Did they add something new?

 

[cartaphilus]

Because one can easily totally replace itself within your system while you use it without even letting you know or show any indication while the other can barely catch a cold.

Kaspersky: banned by governments. Dr.Web is also Russian, but isn't banned; what's going on here? But the free version probably would cover yo

 

[cartaphilus]

I am still puzzled by how Avira and McAfee have greatly improved in the last 2 years. Did they add something new?

Yeah McAfee merged with Fireeye to become Trellix combined with their CEO's no longer looking over their shoulder for McAfee

 

[Andy Ful]

And he was critical to avast a few times ...

Yes, I posted about some weaknesses in the Avast protection:

1. Avast's CyberCapture can be skirted around via DLL hijacking.
2. Avast (and some other AVs) do not care about UAC bypasses as much as Microsoft Defender.
3. In older versions of Avast, CyberCapture worked only for files with MOTW.

For example:

App Review - Avast's challenge.

malwaretips.com

About 15 years ago, I installed Avast on my wife's computer, but she managed to bypass manually the Hardened Mode to install an application bundled with adware (she is a skilled IT professional but not security-oriented). For the last 10 years, I have used mainly Windows built-in protection. I sometimes install popular AVs (including Avast) on my personal computer. I use them during the trial period to see how they currently work and seek possible incompatibilities with my applications.

 

[Andy Ful]

It would be good to agree on MT on the meaning of Unknown and FUD malware. Both malware types are strictly related to this thread.

My propositions:
Unknown malware (Never-before-seen) - the malware that is undetected by AV signatures.
Unknown malware can be created by slightly changing the file content, packing/encrypting the known malware sample, code obfuscation, replacing/modifying functions and attack vectors, applying new exploits, using new compilers or scripting engines, etc.

FUD (Fully UnDetectable) malware - the Unknown variant of known malware created by hiding the content of known malware via packing/encrypting or obfuscating.
The Scantime FUD prevents static detection. The Runtime FUD also prevents dynamic detection (uses fileless methods to run the known malware from memory).


Another problem is with 0-day malware. It is used on MT in two different meanings :

1. Malware that uses a 0-day exploit.
   

   What is Zero Day Malware? - Check Point Software

   Here we demonstrate why understanding your organization’s current security posture is essential for preventing zero day malware attacks.

   www.checkpoint.com
2. Never-before-seen malware.
   

   CrowdStrike Automates Zero-Day Malware Classification | CrowdStrike

   CrowdStrike researchers utilize ML to automate zero-day malware classification for more effective threat mitigation. Learn more!

   www.crowdstrike.com

Finally the note on "Behavioral Protection."
My proposition: Signature-less protection that uses behavior monitoring or AI signals to detect/block/prevent threats in realtime.
For example, the real-time detonation in the cloud sandbox is part of "Behavioral Protection", but detection via the AV local scan engines is not.
This definition often requires malware execution (locally or in the cloud). However, it also covers features such as HIPs, ASR rules, etc., where benign processes are restricted and malware execution is prevented (for example MS Word cannot execute PowerShell, or suspicious file execution is suspended by local AI to apply additional signature-less security layers).

 

[Kaffee4Eck]

Vendors Known for Aggressive Telemetry / Logging
These products regularly transmit extensive system and user data—sometimes including full file uploads, usage behavior, browsing history, and more—often without giving the user full control.

Vendor	Telemetry Details	Notes
Microsoft Defender	Active by default: cloud protection, behavior analysis, file uploads	Can only be restricted with effort in enterprise environments (Defender for Endpoint)
Avast / AVG	Previously involved in data sales (e.g., via Jumpshot); heavy use of cloud scanning	Proven privacy issues, despite recent improvements
McAfee	Collects extensive usage data, especially in cloud versions	High level of logging, documented in EULAs
Trend Micro	Uses cloud sandboxing and performs various background analyses (behavior, content, etc.)	Temporarily stores user content for analysis
Qihoo 360	China-based; known for full file uploads and aggressive scanning	Not recommended for use in Western infrastructures
Tencent TAV	Lacks transparency; aggressive cloud connections	Highly questionable from a GDPR perspective
Norton / Symantec	Cloud-based with optional sample uploads and online behavior tracking	Some telemetry can be disabled, but not entirely
Comodo / Xcitium	Strong behavioral detection and sandboxing; logging practices unclear	Container engine sends large amounts of data with limited user control
K7 Antivirus	Limited information; unclear cloud infrastructure, not GDPR-certified	No official privacy statement or guarantees

---

Vendors with Confirmed Privacy-Friendly Behavior (e.g., Hash-Only Cloud Use)
These vendors focus on local analysis and only perform hash lookups in the cloud—no content is uploaded unless explicitly enabled by the user.

Vendor	Privacy Details	Notes
ESET	Only sends hashes and minimal metadata—never files	100% GDPR-compliant with a transparent privacy policy
G DATA	Fully local analysis; cloud features are optional and can be fully disabled	“100% Made in Germany” with a strong focus on data protection
Bitdefender	Cloud components active by default; file uploads optional and usage clearly documented	Highly configurable in business versions
Sophos	Transparent cloud use; optional sandboxing; GDPR tools available	Cloud components can be configured
Avira (Business)	Hash-based cloud lookup; no full uploads without user approval	Hosted in the EU; past concerns mainly affected consumer versions
F-Secure	Cloud lookup via hashes; clear and strict privacy policies	Based in Finland; high level of transparency
CrowdStrike Falcon	Telemetry is active but highly configurable; no unsolicited file uploads	Designed for enterprise use with fine-grained control
AhnLab (Korea)	Considered privacy-friendly locally; no known violations	Limited documentation, but no public scandals

 

[Kaffee4Eck]

At the Forefront of Behavioral Protection (Elite Tier)
These vendors represent the cutting edge of security, leveraging advanced machine learning, EDR/XDR, rollback features, memory scanning, and system behavior profiling. They are built to detect and stop even unknown (zero-day) threats without needing prior signature data.

Vendor	Key Features
SentinelOne	AI/ML-powered behavioral engine, automated rollback, static and runtime detection
CrowdStrike Falcon	Real-time behavioral analysis, cloud-native architecture, rich telemetry and threat correlation
Sophos Intercept X	Exploit mitigation, CryptoGuard rollback, deep memory inspection
Bitdefender GravityZone	HyperDetect engine, Process Inspector, strong fileless attack defense
Microsoft Defender for Endpoint	Rich behavioral telemetry, tight integration with ATP and SIEM platforms
ESET Enterprise / Protect Complete	Advanced HIPS, behavior engine, strong protection with minimal cloud reliance

All of these solutions provide real protection against ransomware, zero-days, and post-exploitation lateral movement.

---

Reliable, Solid Behavioral Protection (Mid-High Tier)
These vendors offer dependable behavioral security, though they may lack the depth or automation of elite EDR/XDR platforms. Many rely on hybrid methods (signatures + behavior) and may not offer full rollback or detailed threat correlation.

Vendor	Strengths
G DATA Business	Dual-engine setup with behavior blocker; reliable exploit protection
Kaspersky Endpoint Security	Strong "System Watcher" engine; however, geopolitical concerns exist
Trend Micro Apex One	Effective process/memory monitoring, JavaScript ransomware detection
F-Secure Elements	Lightweight design with solid behavioral components
Avira (Business)	Moderate behavior detection, though lacking advanced EDR functionality
AhnLab V3 Internet Security	Basic behavioral defense; more suited to regional markets

---

Below-Average or Weak Behavioral Protection (Warning Tier)
Solutions in this tier rely heavily on signatures, lack advanced behavioral engines or EDR/XDR capabilities, and are often ineffective against fileless attacks, ransomware, or zero-days. These tools are usually reactive and slower to respond to emerging threats.

Vendor	Weaknesses
McAfee (Consumer)	Outdated design; behavioral detection is weak or inconsistent
AVG / Avast (Free)	High false positive rates, poor behavioral detection, mostly reactive
Qihoo 360 / Tencent	Heavily signature-based, low transparency, cloud-dependent
K7 Antivirus	No public documentation of behavioral features; focuses on basic protection
Comodo / Xcitium	Behavior via containers sounds promising but often buggy and prone to false positives
Immunet / ClamAV	Community-driven; lacks real-time or behavioral protection entirely

Most products in this tier are marketed as free, lightweight, or minimalistic, but they often carry significant drawbacks in terms of telemetry, detection effectiveness, or user control.


These are just a few comparison tables I regularly maintain based on ongoing analysis and global developments.

As for Kaspersky, I believe it’s often unfairly singled out. From a purely technical and professional perspective, I see no valid reason not to use it—or to discourage others from doing so. In fact, Kaspersky has consistently been one of the few vendors actively monitoring for state-sponsored malware and blocking such threats effectively.

 

[Andy Ful]

Below-Average or Weak Behavioral Protection (Warning Tier)
Solutions in this tier rely heavily on signatures, lack advanced behavioral engines or EDR/XDR capabilities, and are often ineffective against fileless attacks, ransomware, or zero-days. These tools are usually reactive and slower to respond to emerging threats.

Vendor	Weaknesses
McAfee (Consumer)	Outdated design; behavioral detection is weak or inconsistent
AVG / Avast (Free)	High false positive rates, poor behavioral detection, mostly reactive
Qihoo 360 / Tencent	Heavily signature-based, low transparency, cloud-dependent
K7 Antivirus	No public documentation of behavioral features; focuses on basic protection
Comodo / Xcitium	Behavior via containers sounds promising but often buggy and prone to false positives
Immunet / ClamAV	Community-driven; lacks real-time or behavioral protection entirely

Most products in this tier are marketed as free, lightweight, or minimalistic, but they often carry significant drawbacks in terms of telemetry, detection effectiveness, or user control.

I do not think the warning tier is necessary for AVG, Avast, Comodo, and Xcitium, except maybe to warn about a higher rate of false positives.
AVG and Avast (Free) use CyberCapture Sandbox, which is currently (from about 2 years) as effective as advanced Behavioral Protection (at home and SMBs). Unfortunately, this protection does not cover scripts and DLLs, so AVG and Avast cannot replace strong Behavioral Protection in Enterprises.
Comodo/Xcitium Autocontainment + Script Analysis is as effective as advanced Behavioral Protection (also in Enterprises).

 

[Kaffee4Eck]

CyberCapture is indeed a cloud sandboxing system that automatically isolates and uploads new files for analysis. For home users and small businesses, this provides an effective additional layer of protection. However:

Not a full-fledged EDR solution:
Key capabilities are missing, such as cross-process correlation, in-memory inspection, behavioral anomaly detection, or telemetry aggregation—features commonly found in platforms like Bitdefender, Sophos, or SentinelOne.


Limited coverage for non-executable threats:
As you correctly pointed out—attacks via scripts, DLLs, lateral movement, PowerShell, or WMI are barely or not covered. This is exactly where modern behavioral engines become crucial.

Trust concerns with AVG/Avast:
Despite technical advancements like CyberCapture, there remains a significant trust issue:
The Jumpshot data scandal involving the sale of user data to third parties, along with opaque telemetry practices, continue to raise serious privacy concerns—especially in data-sensitive environments.

Comodo (now Xcitium) has been promoting an innovative Zero Trust model for years, featuring default auto-containment—where all unknown processes are executed within a sandbox. While this sounds impressive on paper, in practice, it comes with several limitations:
High False Positives & Compatibility Issues
Lack of Integration / Missing EDR Backbone
Limited Adoption in the Enterprise Sector (which is kindly not necessary in private-usage but anyway)

You're absolutely right—many of these aspects have improved over time, no doubt about that.
However, they still don’t meet my personal requirements, especially when there are stronger alternatives available that not only offer better features but are also often available at very competitive prices or through promotional deals.

 

[Andy Ful]

However, they still don’t meet my personal requirements, especially when there are stronger alternatives available that not only offer better features but are also often available at very competitive prices or through promotional deals.

Most Enterprises share your personal requirements.

 

[Kaffee4Eck]

Most Enterprises share your personal requirements.

Fair point — though as a developer, you probably know that cloud sandboxing ≠ behavioral protection, and containment without proper context correlation is more “reaction” than “prevention.”


If Comodo’s autocontainment or AVG’s CyberCapture were truly EDR-grade, you'd expect broader adoption beyond free-tier endpoints and tech forums, right?


Curious how you'd architect behavioral threat detection at scale — as a dev. Would love to hear your take or we can discuss a lil more

Because relying on "good enough" AV is how ransomware gets admin privileges without even saying hello.

Don’t get me wrong—and please don’t take this as any sort of attack.
I genuinely appreciate having a conversation with someone who can actually point out improvements and discuss them with solid arguments. It’s refreshing!

 

[Andy Ful]

Fair point — though as a developer, you probably know that cloud sandboxing ≠ behavioral protection, and containment without proper context correlation is more “reaction” than “prevention.”

Nowadays, there is no widely accepted definition of behavioral protection. However, most people would not probably consider cloud sandboxing as a part of behavioral protection.

If Comodo’s autocontainment or AVG’s CyberCapture were truly EDR-grade, you'd expect broader adoption beyond free-tier endpoints and tech forums, right?

I think we both agree that AVG, Avast, and Comodo are not EDR-grade solutions. However, Xcitium is generally considered EDR-grade, but less popular than Microsoft Defender for Endpoint.

https://www.gartner.com/reviews/market/endpoint-protection-platforms/compare/product/microsoft-defender-for-endpoint-vs-xcitium-platform

Curious how you'd architect behavioral threat detection at scale — as a dev. Would love to hear your take or we can discuss a lil more
Because relying on "good enough" AV is how ransomware gets admin privileges without even saying hello.

The future of behavioral protection relies on AI development and Big Data. It is a task for big companies.
I think that average home users who respect SmartScreen can use the default Windows built-in protection + popular AD blocker + popular safe DNS to be "safe enough". The problem can be with happy-clickers, children, and elders. They need additional protection. I do not think the standard Antivirus on default settings can be "good enough" for them.

 

[Kaffee4Eck]

Thanks for the thoughtful reply — I appreciate the nuance you're bringing in!

You're right: the term "behavioral protection" lacks a formalized, industry-wide definition. Still, in practice, most security professionals and EDR vendors converge on a few core principles when referring to it:

• Process-level telemetry and cross-process correlation
• Memory and script behavior monitoring
• Automatic response capabilities (rollback, containment, lateral movement detection)
• Integration into XDR/SIEM workflows

That’s why I wouldn’t put Comodo/Xcitium in the same behavioral protection league as, say, SentinelOne or Defender for Endpoint — even if it technically checks the “EDR” box. Detection quality, context depth, false positive rates, and incident response integration still vary drastically across EDR-labeled products.

Your point about AI and Big Data shaping the future is spot on — behavioral defense at scale requires massive infrastructure and training data. Which is also why smaller vendors often can’t compete long-term in that space without strong telemetry pipelines.

As for home users: I agree that SmartScreen + built-in Defender + safe DNS + adblock is a decent baseline — for informed users.

But as you rightly mentioned:

“happy-clickers, children, and elders”
→ They need protective defaults, not optional toggles buried in Group Policy or PowerShell. That’s where behavioral AVs (or at least smarter default hardening) really matter.

Always happy to nerd out about this stuff — your insights are solid, and the Gartner link was a great addition. Would love to hear your thoughts on how far you think user education can go vs. enforcement via tech controls

 

[Andy Ful]

“happy-clickers, children, and elders”
→ They need protective defaults, not optional toggles buried in Group Policy or PowerShell. That’s where behavioral AVs (or at least smarter default hardening) really matter.

In the home environment, I prefer smart hardening (smart = supported by file reputation). But this usually requires occasional support from the home administrator. Many users cannot get such support, so they must rely on behavioral AVs.

 

[bazang]

"Behavioral Protection"
"Behavioral Analysis"
"Behavior Blocker"
"Behavior ..."

These have no established, industry-wide, standardized definition.

It is up to the software vendor to decide what they mean and what components, mechanisms, methods, and features are included with their own implementation of "Behavioral Protection."

So comparisons can be not straight-forward (grey mud, mostly) and not valid as there is no methodology or basis to make direct comparisons between products that have "Behavioral Protection."

If such an industry-accepted methodology did exist, the AV test labs would be exploiting them for profit via "Behavioral Protection" tests regularly.