Advice Request Emsisoft static detection - is it getting worse?

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.
H

hjlbx

dmzbg79 said:
Well,the static detection is getting worse,because Emsisoft are relying on their Bitdefender engine...And the signature detection of Bitdefender is getting worse...I just tested Bitdefender Internet Security 2017 in the Malware Hub and not surprisingly the static scan did not detect any of the 7 files...It only removed 5 of them when i started the exe. files,thanks to the Active Threat Control...The problem that other programs using the Bitdefender engine is that they get help only with signatures...And the Bitdefender signatures are getting worse...
Click to expand...

Static detection is worthless; testing scan engines against malicious files is a complete waste of time. I really don't know why you guys do it.

You expect 100 % detection - but that is never, never, never, never, never, never, never... going to happen for any AV scan engine.

It's a long-obsolete mode of PC protection that commonly results in infection for indiscriminate PC users.

Dynamic detection\prevention is the real measure of an antivirus\internet security suite. In the end, it is the only protection that matters with AV\IS - because sooner or later the scan engine is going to fail to detect.

Why do so few people understand this simple concept - and continue to focus on testing static detection ?

Static detection is not a valuable or meaningful measure of an anti-virus.
 
  • Like
Reactions: Deleted member 2913, XhenEd, Malakke and 2 others
adnage19

adnage19

Level 5
Verified
Well-known
Sep 22, 2016
211
hjlbx said:
Static detection is worthless; testing scan engines against malicious files is a complete waste of time. I really don't know why you guys do it.

You expect 100 % detection - but that is never, never, never, never, never, never, never... going to happen for any AV scan engine.

It's a long-obsolete mode of PC protection that commonly results in infection for indiscriminate PC users.

Dynamic detection\prevention is the real measure of an antivirus\internet security suite. In the end, it is the only protection that matters with AV\IS - because sooner or later the scan engine is going to fail to detect.

Why do so few people understand this simple concept - and continue to focus on testing static detection ?

Static detection is not a valuable or meaningful measure of an anti-virus.
Click to expand...
Ok, but if it is an AV, detection ratio is still important. Emsisoft's behavior blocker is good, but it can't handle all undetected by signatures files. That's the point. Signatures + proactive protection make the value of AV, not only proactive protection. For example, ESET has probably worse proactive protection but it detects more threats by signatures. And overall it has better scores in Malware hub than Emsi. That's only example to clarify the point of discussion.
 
  • Like
Reactions: Deleted member 2913, XhenEd, Malakke and 2 others
H

hjlbx

adnage19 said:
Ok, but if it is an AV, detection ratio is still important. Emsisoft's behavior blocker is good, but it can't handle all undetected by signatures files. That's the point. Signatures + proactive protection make the value of AV, not only proactive protection. For example, ESET has probably worse proactive protection but it detects more threats by signatures. And overall it has better scores in Malware hub than Emsi. That's only example to clarify the point of discussion.
Click to expand...

All that matters for an AV\IS is how well its proactive protection protects a system against those files that its scan engine does not detect.

It's way more critical to protecting the system than the scan engine; 75 % : 25 %
 
  • Like
Reactions: Deleted member 2913, XhenEd and Der.Reisende
Lord Ami

Lord Ami

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 14, 2014
1,041
Yash Khan said:
How the Webroot option works?
I mean if enabled do we get alerts allow/block for unknown?
Click to expand...
Yes, you get alerts for unknown programs.

A little off topic, but when I was testing F-Secure, I too noticed static scan barely detected anything. F-Secure uses in-house signatures too, but most (if any) of detection came from Bitdefender.
 
  • Like
Reactions: Deleted member 2913, Der.Reisende and XhenEd
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
hjlbx said:
Static detection is worthless; testing scan engines against malicious files is a complete waste of time. I really don't know why you guys do it.

You expect 100 % detection - but that is never, never, never, never, never, never, never... going to happen for any AV scan engine.

It's a long-obsolete mode of PC protection that commonly results in infection for indiscriminate PC users.

Dynamic detection\prevention is the real measure of an antivirus\internet security suite. In the end, it is the only protection that matters with AV\IS - because sooner or later the scan engine is going to fail to detect.

Why do so few people understand this simple concept - and continue to focus on testing static detection ?

Static detection is not a valuable or meaningful measure of an anti-virus.
Click to expand...

In my opinion static detection is still very important and shows:
- how good and fast AV detect new malware and add signatures
- how good their heuristic is
- how good their cloud is

All malware that is detected by signatures is a problem less, a detection before something bad might happen/slip through.
BB and similar are the future and the way to detect unknown malware but they (still) miss malware(a lot for many AV).
 
  • Like
Reactions: DardiM, Wave, ZeroDay and 6 others
H

hjlbx

Solarquest said:
In my opinion static detection is still very important and shows:
- how good and fast AV detect new malware and add signatures
- how good their heuristic is
- how good their cloud is

All malware that is detected by signatures is a problem less, a detection before something bad might happen/slip through.
BB and similar are the future and the way to detect unknown malware but they (still) miss malware(a lot for many AV).
Click to expand...

But study after study have shown that - at best - AV scan engine detection of new malware (< two weeks old and "zero-days") - falls somewhere in the range of 40 to 60 %. The 40 to 60 % range has stood for many years - and varies over time.

The industry standard is to use the average over time... the longer period of time, the more accurate the statistic.

This statistic will never be significantly improved upon with scan engine technology, heuristics and the cloud; it is an established statistic - based upon studies over the past 20 years.

The studies from 2, 5 and 10 years ago are just as true today as they were then. Here is one from 2014 (a bunch of studies of the AV detection rate of zero-day malware can be found online):

http://securityaffairs.co/wordpress/25385/malware/zero-day-malware-detection.html

Here is one that measures zero-day detection on a daily basis:

https://threatcenter.crdf.fr/?Stats

These statistics are no longer updated, but essentially confirm the < 60 % detection rate established in study after study.
 
Last edited by a moderator:
  • Like
Reactions: DardiM, ZeroDay, XhenEd and 2 others
H

hjlbx

CMLew said:
So which is worse?

Static Detection: Postitive , BB: Negative or Static Detection: Negative, BB: Positive ?

If the product works (either detects or block) then my next point is, does it matter?
Click to expand...

Default-deny is the best solution - do it Soviet style - trust nothing and block everything:

https://threatcenter.crdf.fr/?Stats

No longer active but you can see what is posted there... for new malware detection rates.
 
Last edited by a moderator:
  • Like
Reactions: DardiM, Wave, ZeroDay and 3 others
H

hjlbx

Solarquest said:
All malware that is detected by signatures is a problem less, a detection before something bad might happen/slip through. BB and similar are the future and the way to detect unknown malware but they (still) miss malware(a lot for many AV).
Click to expand...

This is why proactive protection is the true measure of any security solution; detecting by signature will fail at some point - and after that - the only thing protecting the system is proactive protection.
 
  • Like
Reactions: DardiM, Wave, Malakke and 3 others
H

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,159
hjlbx said:
LOL... upon execution, file will not be whitelisted in Emsisoft Anti-Malware Network, behavior blocker will alerts, select block and quarantine; system is safe.

This is not difficult...

Emsisoft uses Bitdefender signatures - and its own signatures which are primarily for PUPs. The behavior blocker is there so the user does not over-rely upon the signatures - or - when there is no signature.
Click to expand...

Does a BB on depend on signatures to function.....I mean in general?
 
  • Like
Reactions: DardiM, XhenEd and Deleted member 2913
CMLew

CMLew

Level 23
Verified
Well-known
Oct 30, 2015
1,251
hjlbx said:
Default-deny is the best solution - do it Soviet style - trust nothing and block everything:

https://threatcenter.crdf.fr/?Stats

No longer active but you can see what is posted there... for new malware detection rates.
Click to expand...

Precisely! To me Emsisoft, their prized possession is their BB, not their static detection. And honestly, I can live without any detection, but not without BB. Imagine those ex-Mamutu users, I bet they will scream.... :rolleyes:
 
  • Like
Reactions: DardiM, Malakke, XhenEd and 2 others
H

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,159
hjlbx said:
There is no stand-alone behavior blocker available on the market any longer. At one time there was - Emsisoft Mamutu, ThreatFire, etc - but those have been dead for years by this point.
Click to expand...
I'm aware of that as I have read the forums here and elsewhere. FI, I have a copy of TF on my disc. At one time it was working fine...after that.... nope. I might use it again on my new system since it's a standalone BB.

BTW, how about software using heuristics? Do they function also depend on signatures? Thanks
 
  • Like
Reactions: XhenEd, Deleted member 2913 and Der.Reisende
H

hjlbx

CMLew said:
Precisely! To me Emsisoft, their prized possession is their BB, not their static detection. And honestly, I can live without any detection, but not without BB. Imagine those ex-Mamutu users, I bet they will scream.... :rolleyes:
Click to expand...

I like the new BB setting at the bottom of version 12; it will be interesting to see how well it protects the system for users.

The thing I don't like about it, is that it appears that if an unknown file does not do anything that the behavior blocker detects as suspicious - then it will be allowed.

I don't know why they did not also offer the option to block the install\run of any file that is not specifically whitelisted in EAN.

Users can rely upon EAN in > 90 % of cases...

I think they should give that option also in that setting.
 
  • Like
Reactions: XhenEd, Deleted member 2913 and Der.Reisende
H

hjlbx

HarborFront said:
I'm aware of that as I have read the forums here and elsewhere. FI, I have a copy of TF on my disc. At one time it was working fine...after that.... nope. I might use it again on my new system since it's a standalone BB.

BTW, how about software using heuristics? Do they function also depend on signatures? Thanks
Click to expand...

Basically, heuristics is based upon probabilities that certain file attributes are malicious whereas a behavior blocker is based upon specific file actions.

Heuristics is not a signature detection, but instead an algorithm detection. Same can be said of behavior blocker - it follows an algorithm.
 
  • Like
Reactions: XhenEd, Deleted member 2913 and Der.Reisende
H

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,159
hjlbx said:
Basically, heuristics is based upon probabilities that certain file attributes are malicious whereas a behavior blocker is based upon specific file actions.

Heuristics is not a signature detection, but instead an algorithm detection. Same can be said of behavior blocker - it follows an algorithm.
Click to expand...
Thanks

I supposed there's no standalone program using heuristics alone like BB for TF?
 
  • Like
Reactions: Deleted member 2913 and Der.Reisende
Status
Not open for further replies.

Similar threads

harlan4096
    • Like
    • +Reputation
    • Applause
Dr. Web IS 12 - September / December 2022 Report
Replies
2
Views
2,058
Testing Reports & Statistics
upnorth
upnorth
Trident
    • Like
    • +Reputation
    • Hundred Points
Serious Discussion Harmony Endpoint by Check Point
Replies
685
Views
61,504
Other security for Windows, Mac, Linux
simmerskool
simmerskool
Bot
    • Like
  • Locked
New: Emsisoft Anti-Malware 12 – Keeping you safe from ransomware
Replies
0
Views
3,454
Emsisoft
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top