No; heuristics is part of AV for consumer market.
VS has Ai - which is what you want...
Emsisoft static detection - is it getting worse?
- Thread starter Malakke
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- Status
No; heuristics is part of AV for consumer market.
VS has Ai - which is what you want...
VS comboed with anti-exploit (EMET, HMP.A, MBAE) will be very good for you; I've followed your threads.
- Aug 19, 2016
- 200
it's about eliminating known or unknown, passive or active treats. We cannot only rely on static because treats vary countless and unpredictably and we cannot only rely on dynamic because treats can be so specific. The point is just eliminating possibly all treats on your stuff either they're sleeping or running. I am agree it's noway 100% but at least AVs try to eliminate them as much as possible by various methods as a package
- The advantage of scan engine is that "mechanically" it is extremely reliable - meaning it will malfunction at a very low rate.
- The disadvantage of scan engine is that the detection rate is dependent upon the existence of a signature = unreliable detection rate; no detection (complete bypass).
- The advantage of proactive security is that it is not dependent upon the existence of a signature = designed to protect system in the absence of a signature.
- The disadvantage of proactive security is that malware can cause it to mis-behave, malfunction, or fail completely (complete bypass); "mechanically" proactive security is not as reliable as a scan engine.
I think any AV or behavior blocker do have a signature. BB doesn't require frequent updates, maybe after a month or a few months, vendors release a newer version to update new algorithsms for BB to be able to deal with new kinds of attacks
Voodooshield Ai which I don't think it relies on signature updates but not sure if it relies on internet connection, please inform me
Voodooshield Ai which I don't think it relies on signature updates but not sure if it relies on internet connection, please inform me
- Jul 22, 2014
- 2,525
For Voodooshield, please check Cruelsister test. It works also offline (alerts) but is better online.
BB and heuristic use rules that also need to be updated...there was a question on Emsi forum.
- Jul 22, 2014
- 2,525
- Nov 19, 2014
- 2,350
Here it explains the reasoning a bit.
Expert option for unknown files - Feedback, Comments and Suggestions
- Mar 1, 2014
- 1,708
"Well, on different forums, especially the ones about 'tips' and 'malware', most of the people doing the testing are amateurs at best, who can't distinguish harmless from malicious files. The amount of just trash they use for their testing is stagering. Essentially everything that has a GUI they can't read, because it is Chinese or Russian is malware for them. If we did care for those results, all we would do is introduce a metric ton of false positives. Nothing else." - Fabian (emphasis mine)
Anyway, I trust the rationale of Emsisoft's dev team.
- Nov 19, 2014
- 2,350
He is not completely off though. What he is saying might come as a bit offensive to some but in general it's true. Most of us here are amateurs and have limited understanding of malware."Well, on different forums, especially the ones about 'tips' and 'malware', most of the people doing the testing are amateurs at best, who can't distinguish harmless from malicious files. The amount of just trash they use for their testing is stagering. Essentially everything that has a GUI they can't read, because it is Chinese or Russian is malware for them. If we did care for those results, all we would do is introduce a metric ton of false positives. Nothing else." - Fabian (emphasis mine)
Anyway, I trust the rationale of Emsisoft's dev team.
What i like about Emsisoft is that they have an idea of what they want their product to do and stick to it. That is something i appreciate because if i don't like it i can skip their product. Many companies would just say we will think of it and possible add it in future version and at the end it's just bs to please all users that complain.
- Jan 29, 2013
- 221
Emsisoft has its own idiosincrasy, and i love it, but sometimes it's good to hear its costumers. Amateurs or not, here in MT a lot of people try to help, and i think that work deserves some respect and consideration. I have two Emsi licenses, but there are things i don't like and always there is margin to improve.
Thank you @Malakke for those wise words.
I highly respect Emsisoft and love it's software since I came across it, but regarding @Fabian Wosar 's statement, throw stones at me, but IMO it's also far from professional, criticizing the highly motivated Malware Vault team, but at the time me writing these lines not stating yet what to be improved. We all do test in our spare time, try to improve our knowledge every day, and having learnt a lot by users like @Lucent Warrior. We had a way more "unprofessional" HUB before, now we're using well regarded tools to spot any signs of infection, trying to help developers to improve our beloved AV. We don't like to have to write that the system got infected, but who is helped by us hiding detections, of harm or not. We owe it to our readers in the Vault to clearly indicate the level of protection of the AV they choose, as they spend their money on it. We are of course aware of the influence those ratings have, so we try to avoid any mistakes, self-controlling our work all over the team and sharing experiences and tips in real time.
Also, regarding the trash and the kyrillic GUI "malware", I've not seen much of that in the past weeks / months.
Our tools, VT and competing AVs most of the time clearly indicate the danger of the stuff we collect from well known pages like Hybrid Analysis. If we not see a danger in files tested or if they don't work as supposed, this is clearly indicated. However, we try to avoid those. PUP/PUA are also avoided for good reason, especially chinese ones.
Thank you for reading!
EDIT: Of course thanks to all of those who helped us to make the Malware Vault what it is now!
- Jan 29, 2013
- 221
One question for @Der.Reisende and all Emsisoft testers (love your work, of course!). I've seen in Malware Vault that Emsisoft's BB spends some time to reacts against malware (sometimes near to 1 minute). Do you think that in that time malware could infect a machine or drop any suspicious file?
You trust the rational of a Vendor/Developer that has obviously not ventured into the Malware Vault and looked at the tests which are done correctly now as compared to quite some time back when there was a giant crew of users doing nothing but Static "right click scans" and calling it testing, without actaully testing all of the products Modules together as they are designed to work. All the samples are vetted in the Malware Hub and are fresh/low detection. Both static and Dynamic testing takes place, and the ones missed during testing are submitted to the Vendors "YES, YOUR WELCOME FABIAN" for those users time helping your product."Well, on different forums, especially the ones about 'tips' and 'malware', most of the people doing the testing are amateurs at best, who can't distinguish harmless from malicious files. The amount of just trash they use for their testing is stagering. Essentially everything that has a GUI they can't read, because it is Chinese or Russian is malware for them. If we did care for those results, all we would do is introduce a metric ton of false positives. Nothing else." - Fabian (emphasis mine)
Anyway, I trust the rationale of Emsisoft's dev team.
I can attest to BD engine not always being current with signatures, not from testing Emsisoft, but from when i tested Vipre in the Hub, as it had low detection rates as well signature wise, but AVC always kicked in and saved the day.
The fact that the NON-AMATEURS in the HUB, as just not anyone's post will be allowed to stay there unless done correctly, are not using OLD samples like the "YOUTUBERS which do so out of laziness", should not rub anyone the wrong way, it should in fact be held with respect and gratitude that there are users willing to VOLUNTEER their time to help the products/ungrateful vendors.
Since Fabian has the bed side manor of Andrew Dice Clay, i would take his words with a grain of salt.
The reason the Tests done in the Hub are both Static & Dynamic is to show the products complete ability at protecting the system and not focused on just signatures. If at any point, a sample blows past all of the products modules, i would suggest the developer to look into it, and they will be able to do so as the very professional TEAM always submit them.
Now if he was referring to Cruelsisters test, and the fact she would not share her modified samples, well then, do not know what to tell you Fabian as that is her work and her call, and i have much respect for her and her abilities, but this apart does not REFLECT on the Testers in the HUB.
Last edited by a moderator:
Highly appreciated
Malware sleeping in memory for a minute or more is a common trick to avoid detection. Avast Cyber Capture might be something like that, @silversurfer for sure knows more about that, even might correct me if I'm wrong
Droppers become more and more common (.js ones for example) as them as well as payload is usually not detected by signatures in the first hours. So yes, something will be dropped, but in almost all cases Emsisoft softwares will intercept it as soon as malicious behavior is detected (this is when the malware running in memory stops sleeping by getting triggered by the related script for example). You can clearly spot running malware in SysInternals Process Explorer usually.Seldom something dropped is not caught by Emsisoft (most because of not being triggered) which is detected by us checking common folders like TEMP, but also by Zemana, HitmanPro or McAfee GetSusp.
SysInternals AutoRuns and TCPView do also indicate malicious entries.
- Mar 1, 2014
- 1,708
Just for clarification, what I trust is Emsisoft dev's way of developing their software, not their criticism against MT's malware testing.
I brought up that quote because he was apparently referring to MT. That's all.
And for my opinion, I trust MT malware testers in the Hub.
I brought up that quote because he was apparently referring to MT. That's all.
And for my opinion, I trust MT malware testers in the Hub.
Very well said, thank you!
- Aug 23, 2016
- 193
"Well, on different forums, especially the ones about 'tips' and 'malware', most of the people doing the testing are amateurs at best, who can't distinguish harmless from malicious files. The amount of just trash they use for their testing is stagering. Essentially everything that has a GUI they can't read, because it is Chinese or Russian is malware for them. If we did care for those results, all we would do is introduce a metric ton of false positives. Nothing else." - Fabian (emphasis mine)
Anyway, I trust the rationale of Emsisoft's dev team.
They (Emsi devs) should separate the frustration from the reality: they might not be satisfied with the results in the HUB but that is the reality and Emsisoft has certain results.
- Aug 17, 2014
- 11,264
I don't like arrogant experts like this. I am may be an amateur, but I know which samples are dangerous
- Status
Similar threads
