No i dont say anything i find it better becus Emsisoft blocked like 8 of my games from steam... And the bh blocker is actually some half in cloud or something ;p
It works like treath emulation from Zonealarm but then also a bh blocker on the pc itself..
i edited my post before you responded with the quote, I misread your post at first sorry about that
but yeah unless it is executing the program and monitoring the behavior to detect it on the backend of the server like an MA system (e.g. hybrid analysis) or it's monitoring the behavior as you're executing, it doesn't count as a behavior blocker
i am not sure how whatever your talking about works, that is why im asking for more details. im curious since you said you find it better than Emsisoft BB
i edited my post before you responded with the quote, I misread your post at first sorry about that
but yeah unless it is executing the program and monitoring the behavior to detect it on the backend of the server like an MA system (e.g. hybrid analysis) or it's monitoring the behavior as you're executing, it doesn't count as a behavior blocker
i am not sure how whatever your talking about works, that is why im asking for more details. im curious since you said you find it better than Emsisoft BB
I cant say munch about it as it isnt public info... They only said you can count on that sort of features in the pro version
On my qeustion does it have a behavior blocker...
And as said i only think emsisoft bh has too munch false positives..
I think its still in a testing state.. for pro users.
About protecting Edge: don't worry about that. Edge can protect itself very nicely. It runs in appcontainer isolation, which is better protection than any AV could hope to provide.
About Avira and behavior blocker: there is no copyright on the name "behavior blocker". Any AV company can say that they have a "behavior blocker", but that doesn't make them all equal. It's kind of like saying that a Fiat and a Mercedes are the same, since they both belong in the automobile category.
On this forum we don't tend to give much credence to commercial awards of that type. We give more credence to in-house MT testing, which is done by volunteer experts who have no vested interests.
i don't even know what you're talking about but if you like avira thats not a problem
all I am saying is last time I checked, a month ago, they couldn't even block basic DLL injection via NtAllocateVirtualMemory, NtWriteVirtualMemory and RtlCreateUserThread from a custom sample which was not digitally signed and had never been seen before by their cloud network, let alone damn RunPE attacks or MBR overwrite lol
bear in mind the injection method I just mentioned has been used by malware for over 10 years
but I mean we all like different vendors etc so if you are recommending Avira to OP then thats fine, I wasn't trying to cause trouble :/ sorry for misunderstanding
i don't even know what you're talking about but if you like avira thats not a problem
all I am saying is last time I checked, a month ago, they couldn't even block basic DLL injection via NtAllocateVirtualMemory, NtWriteVirtualMemory and RtlCreateUserThread from a custom sample which was not digitally signed and had never been seen before by their cloud network, let alone damn RunPE attacks or MBR overwrite lol
but I mean we all like different vendors etc so if you are recommending Avira to OP then thats fine, I wasn't trying to cause trouble :/ sorry for misunderstanding
1. You probaly tested the free
2. The bh blocker is now like 3 weeks..
3. Avira does likely not block it becus you made it youself.. but that i cant confirm..but its likely to not creat a fp
4. You need to see the product of the year award from Av comperatives..
Do take a look at our tests available here, with videos that "actually" shows how products are tested, unlike the independent lab review sites, where anything could happen [not that they are false].
Do take a look at our tests available here, with videos that "actually" shows how products are tested, unlike the independent lab review sites, where anything could happen [not that they are false].
1. You probaly tested the free
2. The bh blocker is now like 3 weeks..
3. Avira does likely not block it becus you made it youself.. but that i cant confirm..but its likely to not creat a fp
4. You need to see the product of the year award from Av comperatives..
1. Maybe. I'll make sure to test the pro pro pro version today.
2. Interesting.
3. It has nothing to do with whether I made it myself or not, Avira will not know the difference. It's not like they have a mechanism to identify when I compile a program from within VS.
That is like saying "ok I made MBR overwrite myself, since VS compiled it let's allow it and let it destroy the MBR"
4. AV comparatives means nothing to me, none of these awards do. They literally mean nothing.
I am answering to the thread.
Companion for Norton?
Simple. Shadow Defender just restart and all infections are gone.
By the way as @Sr. Normal 2.0 suggested VoodooShield is a nice addition even the free version and adding to those 2 Shadow Defender
i believe you will be more than ok.
Just my opinion
@Xsjx Ok I installed Avira Pro and ran test samples which execute code which is malicious however it's been done in a way which will not actually harm me; it's hard for me to explain what I mean, however I do custom malware for testing purposes...
Host testing:
1. DLL injection (basic): missed -> the target was task manager (elevated process and also a windows built-in process) and explorer.exe
2. Stealth injection (basic): missed -> the target was explorer.exe
3. Dynamic Forking: missed
4. Loading a malicious device driver to attack the Avira process and shut it down from memory (bypassing the self protection): missed -> bear in mind the device driver was signed with a test certificate and the system is on Test Mode so I can load it, and the driver was loaded by OSRLOADER.exe which was process hollowed into WaveGUI.exe at the time (which means Avira scanned WaveGUI.exe and would see the small file size, the company detail saying it was by Piriform but without the digital signature) LOL
5. MBR overwrite: missed (I overwrote the MBR -> waited a minute -> reverted MBR back to how it originally was)
6. Hosts file overwrite: missed -> I didn't even test it active on the system, I used a sample I made a few months back to force BSOD the system and replace the hosts file on reboot
Here is a screenshot of dynamic forking active on my host system... OSRLOADER.exe is running within the address space of WaveGUI.exe, Avira even popped up telling me it was analyzing WaveGUI.exe (which had never been seen before by any online reputation clouds) and it returned clean; after it had executed in memory it was replaced with OSRLOADER.exe, and Avira didn't know a thing:
Still need to change my PC name back... my name isn't "louish" ahahaha
Before doing the test I thought Avira was ok for signatures but they just missed a dozen clearly malicious custom samples with small file sizes, no company info, no proper icon, absolutely no packing and clearly accessible imported functions... Now I think it's even worse than before the test. lol. so much for good static heuristics, surely they had enough trojan injectors to make some good sigs for em. Now I am starting to think that they are literally mainly relying on checksum
So yeah I got no idea who from Avira told you about their magical behavior blocking but I literally see nothing of the kind, it turned my system into a slug within a minute of installation as well and it had to use Avira Connect to install, claimed it failed first try... hmm... uninstalled!
But still if you like Avira and recommend it then np but the test above concludes my opinion... take it with a grain of salt, though. but bear in mind I tested actual behavior, and since it could not stop it now, it means it won't stop it for any samples which it hasn't detected prior to execution
but plz anyone reading don't let the above put you off Avira, I am not tryna bash them... just sharing results due to discussion above. if you wanna use Avira and like it then go for it, use what you want
@Xsjx Ok I installed Avira Pro and ran test samples which execute code which is malicious however it's been done in a way which will not actually harm me; it's hard for me to explain what I mean, however I do custom malware for testing purposes...
Host testing:
1. DLL injection (basic): missed -> the target was task manager (elevated process and also a windows built-in process) and explorer.exe
2. Stealth injection (basic): missed -> the target was explorer.exe
3. Dynamic Forking: missed
4. Loading a malicious device driver to attack the Avira process and shut it down from memory (bypassing the self protection): missed -> bear in mind the device driver was signed with a test certificate and the system is on Test Mode so I can load it, and the driver was loaded by OSRLOADER.exe which was process hollowed into WaveGUI.exe at the time (which means Avira scanned WaveGUI.exe and would see the small file size, the company detail saying it was by Piriform but without the digital signature) LOL
5. MBR overwrite: missed (I overwrote the MBR -> waited a minute -> reverted MBR back to how it originally was)
6. Hosts file overwrite: missed -> I didn't even test it active on the system, I used a sample I made a few months back to force BSOD the system and replace the hosts file on reboot
Here is a screenshot of dynamic forking active on my host system... OSRLOADER.exe is running within the address space of WaveGUI.exe, Avira even popped up telling me it was analyzing WaveGUI.exe (which had never been seen before by any online reputation clouds) and it returned clean; after it had executed in memory it was replaced with OSRLOADER.exe, and Avira didn't know a thing:
Still need to change my PC name back... my name isn't "louish" ahahaha
Before doing the test I thought Avira was ok for signatures but they just missed a dozen clearly malicious custom samples with small file sizes, no company info, no proper icon, absolutely no packing and clearly accessible imported functions... Now I think it's even worse than before the test. lol. so much for good static heuristics, surely they had enough trojan injectors to make some good sigs for em. Now I am starting to think that they are literally mainly relying on checksum
So yeah I got no idea who from Avira told you about their magical behavior blocking but I literally see nothing of the kind, it turned my system into a slug within a minute of installation as well and it had to use Avira Connect to install, claimed it failed first try... hmm... uninstalled!
But still if you like Avira and recommend it then np but the test above concludes my opinion... take it with a grain of salt, though. but bear in mind I tested actual behavior, and since it could not stop it now, it means it won't stop it for any samples which it hasn't detected prior to execution
Hmm.. It can be ( complaining ) that you tested some things avira is still working around for..
Further Actually Avira doenst rely on Sigs but more on Cloud.
Hmm.. It can be ( complaining ) that you tested some things avira is still working around for..
Further Actually Avira doenst rely on Sigs but more on Cloud.
I don't know what they are planning and it doesn't matter.. it's about what is happening now., point is they failed to block any of the behavior I tested from unknown samples to their cloud. Whether I made them or not is irrelevant, the activity was still malicious and can do a lot of damage in the wild is used properly. E.g. injection can be used to make a formgrabber into a web browser and steal credentials to banking websites... not difficult, and Avira would have no clue about it unless it picked up the launcher/DLL as malicious via static methods lol
As for their cloud network, did a great job detecting the unknown brand new samples with absolutely no packing and obvious suspicious factors. Don't think it's weird that a program about 5mb in size which had been file padded to boost the file size and had "Piriform Ltd." as the company name info without a digital signature that imports very little functions, but especially functions like WriteProcessMemory, QueueUserAPC, CreateRemoteThread? lol
IMO it's a joke but ofc if you like it and anyone else wants to use it then np, I just shared the results since you seemed confident that it had a better BB than Emsisoft. that being said, I am not even a fan of Emsisoft that much anymore as it didn't work too well for me lately, but even Emsisoft can block things like DLL injection lol
I don't know what they are planning and it doesn't matter.. it's about what is happening now., point is they failed to block any of the behavior I tested from unknown samples to their cloud. Whether I made them or not is irrelevant, the activity was still malicious and can do a lot of damage in the wild is used properly. E.g. injection can be used to make a formgrabber into a web browser and steal credentials to banking websites... not difficult, and Avira would have no clue about it unless it picked up the launcher/DLL as malicious via static methods lol
As for their cloud network, did a great job detecting the unknown brand new samples with absolutely no packing and obvious suspicious factors. Don't think it's weird that a program about 5mb in size which had been file padded to boost the file size and had "Piriform Ltd." as the company name info without a digital signature that imports very little functions, but especially functions like WriteProcessMemory, QueueUserAPC, CreateRemoteThread? lol
IMO it's a joke but ofc if you like it and anyone else wants to use it then np, I just shared the results since you seemed confident that it had a better BB than Emsisoft. that being said, I am not even a fan of Emsisoft that much anymore as it didn't work too well for me lately, but even Emsisoft can block things like DLL injection lol
Anyway send me a PM if you wanna continue I think I hijacked this thread enough so I can't reply here again about this discussion.
In my home (for family) desktop, that is quite old actually, I only use Norton, without any other apps (with smartscreen on...etc) because it would be a downgrade on resources, and SONAR aggressive, and I din't have any issue. If I have to choose somethind additional, I would go for Malwarebytes or VoodooShield.
sorry about that
