Some of air-gaped PC users even use scripts to remove MSD and use PC with no AV at all, depending on scanning the intended to be used software on the PC used to download before install to the air-gaped ones.
They consider saving PC resources for resource-intensive programs is an advantage, especially they are not connected to internet.
An AV with no connection is useless either way.
People think that behavioural blocking is magical. From user point of view, it’s easy, you monitor the behaviour, you record, the file started modifying files and dropping “your_files_are_encrypted.txt”, so you start remediating.
But when you look at it programmatically, all that the AV sees is an ocean of calls and memory operations. From these calls, the AV needs to filter what’s not related to any known threats (which changes by the minute), it needs to correlate, take a decision and it needs to do it quickly.
There are hundreds of ways to achieve the same behavioir and they all result in different calls. When you group these in sequences, there are probably millions of combinations possible.
It’s possible to create short behavioural profiles, but these lead to more false positives.
This necessitates either a connecion to the cloud for quick processing of huge volumes of information quickly and accurately, or constant pushing of behavioural sequences/profiles, whatever you wanna call them.
All pre-execution detections need frequent updating too.
