Advice Request Best behavior blocker/0 day

Please provide comments and solutions that are helpful to the author of this topic.

Trooper

Level 17
Verified
Top Poster
Well-known
Aug 28, 2015
801
refer to title itself:

Best behavior blocker/0 day​


All solutions discussed here have either BB or a zero day module. Thread was not about BB only...

Eset has Hips and its own engine mechanism.

Well said. I like how he picked my post out of multiple people mentioning ESET here in this thread.
 

brambedkar59

Level 32
Verified
Top Poster
Well-known
Apr 16, 2017
2,125
I have seen BB/0 day module in action for Kaspersky, Bitdefender, Emsisoft & Avast, but it was fortunately/unfortunately only for PUA/PUM/adware (with 1-2 VT detections), because I rarely encounter malware. Each of them protected the system when it needed to.
Does that mean they are the best? Not really. It means that either I just haven't used other AV/AM that much or I rarely see such scary stuff like an actual ransomware or Trojan.
Also last time I used Emsisoft its support was top notch.
 
Last edited:

safetrend

Level 1
Apr 15, 2022
49
These days, I think AV Company doesn't strictly discern their detecting methodologies. They make some " blahblah tech " and incorporates all the modern technologies(Machine learning(AI), Behavioral Guard, Cloud-Based, Reputation system, etc.) under those name.
Like, Bitdefender Theta, McAfee's Artemis, G-DATA Deepray or BEAST, ESET LiveGuard.. These trademarks are just for advertisement or something, in the real world they use multiple moduels at once to detect 1 malware.
 

Soulbound

Level 29
Verified
Well-known
Jan 14, 2015
1,761
Is McAfee's BB that bad? Mcafee has had long history of behaviroal guard called "Artemis" and I think it's still effective.(But yeah can't compare to 'top-tier' products)
It's endpoint solution had it more decent than home use versions although contrary to popular belief mcafee home versions were and still are perfectly fine for average Joe usage granted you don't go on a mad crusade to download everything under the sun while not using any pop up blocker and just unsafe web surfing practices.

Ever since McAfee moved their endpoint to another company however I stopped using it as I couldn't be bothered to go through the process of renewing my grant number etc and there was no need to anymore.
 

safetrend

Level 1
Apr 15, 2022
49
It's endpoint solution had it more decent than home use versions although contrary to popular belief mcafee home versions were and still are perfectly fine for average Joe usage granted you don't go on a mad crusade to download everything under the sun while not using any pop up blocker and just unsafe web surfing practices.

Ever since McAfee moved their endpoint to another company however I stopped using it as I couldn't be bothered to go through the process of renewing my grant number etc and there was no need to anymore.
Thanks for sharing informations. although McAfee scores bad on some tests and its reputation is also bad for people, yes Mcafee is more than enough for average Joe.
Btw, McAfee's enterprise was merged into the Trellix as I know(is that right?😂) and Trellix uses Bitdefender engine. Then They don't use McAfee's signature anymore?
 

Bushman

Level 2
Verified
Sep 9, 2017
55
I have seen BB/0 day module in action for Kaspersky, Bitdefender, Emsisoft & Avast, but it was fortunately/unfortunately only for PUA/PUM/adware (with 1-2 VT detections), because I rarely encounter malware. Each of them protected the system when it needed to.
Does that mean they are the best? Not really. It means that either I just haven't used other AV/AM that much or I rarely see such scary stuff like an actual ransomware or Trojan.
Also last time I used Emsisoft its support was top notch.
The best support service from publishers...no other does as well in supporting its customers and especially not F-Secure
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
784
Maybe the FP rate of F-Secure is lower in your country due to a larger user base. DeepGuard will sometimes block unknown applications based on their prevalence (I think ML also plays a role in deciding whether to block or not). You can check for the reason why DeepGuard blocks an application in the logs. In most cases, the reason is "rare".

I got this idea (abch = abuse.ch) from @MacDefender. :p
Yeah that was my best guess for what 'abch' was. I didn't want to be unethical and submit something harmless to Malware Bazaar but I suspected that they might be adding cloud hashes for almost everything in Malware Bazaar or perhaps automated sandboxes where certain criteria are met.

I personally don't like the practice. While it may improve zero-day detections some, I feel it is more of a cheap trick to make performance look strong when amateur malware testers try the product.


FWIW DeepGuard can be a little touchy with unknown applications, but it's not the most sensitive. I have been doing some ASP.NET Core app development this past month and had to remove Emsisoft Business Security from my server because its behavior blocker kept flagging almost every compilation product of an ASP.NET Core webapp as behavior "trojan horse". And because the hashes and paths all change as the app gets compiled per commit, I can't whitelist it.
 

Soulbound

Level 29
Verified
Well-known
Jan 14, 2015
1,761
Thanks for sharing informations. although McAfee scores bad on some tests and its reputation is also bad for people, yes Mcafee is more than enough for average Joe.
Btw, McAfee's enterprise was merged into the Trellix as I know(is that right?😂) and Trellix uses Bitdefender engine. Then They don't use McAfee's signature anymore?
sorry thought I answered before.

In fact Trellix is a brand launched by Symphony Technology Group - STG for short, which first acquired in 2021 McAfee Enterprise and then FireEye sold their brand and products to STG. Result = Trellix.

Fun fact FireEye also previously acquired another company that was known for cyber security investigation and handling and as a result, it further expanded from there.

On its own, STG basically incorporated both acquisitions technology into a new one known as Trellix.

It has a lot of similarities to MD (Microsoft Defender for Endpoint) in terms of underlaying technologies:

Malware protection
Anti-phishing
Behavioral threat analysis
Machine learning
Cloud-based threat detection


In terms of Attack detection and mitigation, from what I know Trellix quarantines suspicious threats or suspected threads into quarantine straight away but also does a backup/duplication of safe copies of files as a counter measure.

MD doesn't as far as I know but I could be wrong.

When it comes to machine learning, both are top notch but while MD sends sensor data for threat detection, Trellix uses the more traditional way of recording process level behaviour to analyze data etc, so basically a more traditional behaviour blocker technology.

The final difference between the two is S-A and M-A (Single-Agent and Multi-Agent)
MD uses M-A while Trellix uses S-A.

I personally prefer S-A but both are easy to maintain except one small difference. For MD, you have to have an OS update to update the platform while on Trellix you dont.

As for the engine that Trellix uses, I do not know. If I can get my hands on it, I will let you know.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
STG for short, which first acquired in 2021 McAfee Enterprise and then FireEye sold their brand and products to STG. Result = Trellix.
Hmm, Thoma Bravo still lists McAfee (with text that includes its NextGen enterprise divisions). Thoma Bravo should have updated its site long ago but McAfee is still listed there.

 

Soulbound

Level 29
Verified
Well-known
Jan 14, 2015
1,761
well not the full McAfee was acquired by STG, unlike FireEye.
but yeah they didnt update after the acquisition of STG
880jGnC.png
 
  • Thanks
Reactions: plat

likeastar20

Level 9
Thread author
Verified
Mar 24, 2016
423
First tier: Bitdefender ATD, Kaspersky SW

Second tier: Norton SONAR (bad protection against ransomware and some stealer), Emsisoft (no rollback), Avast IDP (inadequate protection against ransomware)

Third tier: F-Secure DG (relatively high FPs, no rollback), McAfee RP (bad protection against script, depends on Cloud)

Fourth tier: ESET DBI and RS (insensitive), Trend Micro (high FPs in hypersensitive mode, not sensitive in normal mode), Avira Sentry (insensitive to malware, produce FPs in my testing)
I’m curious in a updated list 👀
 
  • Like
Reactions: Ameise

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top