and in the AV-C July - Oct 2022 real world protection test panda got 2 stars blocked 99.7% with 36 false+.
I guess that's one reason MT (
@Shadowra),
@cruelsister, and others do REAL real protection tests. I need to read the fine print, does AV-C (& others) have disclaimers so they don't get sued by infected viewers? Or something like "for entertainment purposes only"
Well, I made a joke about feeding the Panda one sample a year, but that could be the reason why Panda performs better in real world tests of AV-test labs (I have read somewhere that most of the AV-Labs use fresh samples, but launch malware samples in 15 minutes windows simultaneously for all AV's to prevent one AV learning from other sharing samples and VT-detections).
Machine Learning/Artificial Intelligence is the next level of static (pre-execution) heuristics, only AI/ML uses many more data points and determines the probability based on the distance to earlier bad/good sample value clusters (while heuristics only use a few data points with at best some rules based reasoning). This makes ML/AI a huge improvement over traditional heuristics. Behavioral blockers are often seen as the next level HIPS (which is not true because HIPS denied strange, out of bound, behavior, while BB's allow behavior until an actor has accumulated so many warnings, it is blocked, so allow by default).
Early BB's managed their own data acquisition and monitoring until Windows started to prevent or virtualize critical system components and the BB's started to use windows own event system for collecting unusual behavior., This has immense advantages (less overhead while obtaining more data), but at the cost of some loss of cause-effect information. Because the Windows OS became more robust, malware started to use smarter and more staged ways to intrude the system (e.g. social engineering, obfuscation, LolBin, script, boot persistency, worm, outbound access, dropper, exectable).
Due to the staged intrusion and insufficient cause-effect information, a behavior blocker will have a hard time recognizing the correlation between the different stages over time. The Behavior Blocker pattern recognition capabilities will decrease signifcantly when the tester launches mutiple malwares within a short period of time. All the event signals triggered (with insufficient cause-effect info) may overwhelm the BB because it does not know how to deal with so many deviations on normal behavior. The event-sequence-paths get disturbed, so the BB simply does not recognize the event-path-patterns which are typical for some malware (it becomes autistic due to the many event triggers).
I only know Kaspersky System Watcher as the raven with the white feathers, Kaspersky's System Watcher (behavorial blocker) somehow manages to keep track of the event-sequences and popup on the right moment to block malware from infecting your system, but Panda's and Webroot's behavioral blockers are obvious not capable of handling several malware intrusions in a short period of time (as clearly shown by Shadowra's videos).
Detest what you found. 
