- Nov 19, 2014
- 2,346
Oh i see. I was not aware that this is what it meant but now you mention it you are probably right. Thanks.
Emsisoft static detection - is it getting worse?
- Thread starter Malakke
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- Status
Static detection is worthless; testing scan engines against malicious files is a complete waste of time. I really don't know why you guys do it.
You expect 100 % detection - but that is never, never, never, never, never, never, never... going to happen for any AV scan engine.
It's a long-obsolete mode of PC protection that commonly results in infection for indiscriminate PC users.
Dynamic detection\prevention is the real measure of an antivirus\internet security suite. In the end, it is the only protection that matters with AV\IS - because sooner or later the scan engine is going to fail to detect.
Why do so few people understand this simple concept - and continue to focus on testing static detection ?
Static detection is not a valuable or meaningful measure of an anti-virus.
- Sep 22, 2016
- 211
Ok, but if it is an AV, detection ratio is still important. Emsisoft's behavior blocker is good, but it can't handle all undetected by signatures files. That's the point. Signatures + proactive protection make the value of AV, not only proactive protection. For example, ESET has probably worse proactive protection but it detects more threats by signatures. And overall it has better scores in Malware hub than Emsi. That's only example to clarify the point of discussion.
All that matters for an AV\IS is how well its proactive protection protects a system against those files that its scan engine does not detect.
It's way more critical to protecting the system than the scan engine; 75 % : 25 %
- Jan 29, 2013
- 221
If Memory Optimization is unticked, it's expected that Emsi would use 250Mb-300+Mb.
Whenever I use EIS, I always untick that option.
You're right! It was unticked in v11 and ticked in v12
- Sep 14, 2014
- 1,026
Yes, you get alerts for unknown programs.
A little off topic, but when I was testing F-Secure, I too noticed static scan barely detected anything. F-Secure uses in-house signatures too, but most (if any) of detection came from Bitdefender.
- Jul 22, 2014
- 2,525
In my opinion static detection is still very important and shows:
- how good and fast AV detect new malware and add signatures
- how good their heuristic is
- how good their cloud is
All malware that is detected by signatures is a problem less, a detection before something bad might happen/slip through.
BB and similar are the future and the way to detect unknown malware but they (still) miss malware(a lot for many AV).
- Oct 30, 2015
- 1,251
So which is worse?
Static Detection: Postitive , BB: Negative or Static Detection: Negative, BB: Positive ?
If the product works (either detects or block) then my next point is, does it matter?
Static Detection: Postitive , BB: Negative or Static Detection: Negative, BB: Positive ?
If the product works (either detects or block) then my next point is, does it matter?
But study after study have shown that - at best - AV scan engine detection of new malware (< two weeks old and "zero-days") - falls somewhere in the range of 40 to 60 %. The 40 to 60 % range has stood for many years - and varies over time.
The industry standard is to use the average over time... the longer period of time, the more accurate the statistic.
This statistic will never be significantly improved upon with scan engine technology, heuristics and the cloud; it is an established statistic - based upon studies over the past 20 years.
The studies from 2, 5 and 10 years ago are just as true today as they were then. Here is one from 2014 (a bunch of studies of the AV detection rate of zero-day malware can be found online):
http://securityaffairs.co/wordpress/25385/malware/zero-day-malware-detection.html
Here is one that measures zero-day detection on a daily basis:
https://threatcenter.crdf.fr/?Stats
These statistics are no longer updated, but essentially confirm the < 60 % detection rate established in study after study.
Last edited by a moderator:
Default-deny is the best solution - do it Soviet style - trust nothing and block everything:
https://threatcenter.crdf.fr/?Stats
No longer active but you can see what is posted there... for new malware detection rates.
Last edited by a moderator:
This is why proactive protection is the true measure of any security solution; detecting by signature will fail at some point - and after that - the only thing protecting the system is proactive protection.
Does a BB on depend on signatures to function.....I mean in general?
Thanks. I'll take note when I set up my new system WITHOUT using AV/AM software
There is no stand-alone behavior blocker available on the market any longer. At one time there was - Emsisoft Mamutu, ThreatFire, etc - but those have been dead for years by this point.
- Oct 30, 2015
- 1,251
Precisely! To me Emsisoft, their prized possession is their BB, not their static detection. And honestly, I can live without any detection, but not without BB. Imagine those ex-Mamutu users, I bet they will scream....
I'm aware of that as I have read the forums here and elsewhere. FI, I have a copy of TF on my disc. At one time it was working fine...after that.... nope. I might use it again on my new system since it's a standalone BB.
BTW, how about software using heuristics? Do they function also depend on signatures? Thanks
Precisely! To me Emsisoft, their prized possession is their BB, not their static detection. And honestly, I can live without any detection, but not without BB. Imagine those ex-Mamutu users, I bet they will scream....
I like the new BB setting at the bottom of version 12; it will be interesting to see how well it protects the system for users.
The thing I don't like about it, is that it appears that if an unknown file does not do anything that the behavior blocker detects as suspicious - then it will be allowed.
I don't know why they did not also offer the option to block the install\run of any file that is not specifically whitelisted in EAN.
Users can rely upon EAN in > 90 % of cases...
I think they should give that option also in that setting.
Basically, heuristics is based upon probabilities that certain file attributes are malicious whereas a behavior blocker is based upon specific file actions.
Heuristics is not a signature detection, but instead an algorithm detection. Same can be said of behavior blocker - it follows an algorithm.
- Status
Similar threads
