Products to compare
BitDefender Total Security
F - Secure Safe!
Emsisoft Anti - Malware
Eset Internet Security
Compare
Usability
Performance and System Impact
Computer protection (Antivirus engine, Heuristic engine)
Internet protection (Web Guard, Anti-Phishing, Antispam, Browser extension)
Proactive protection (Behavior blocker, HIPS, Sandbox)
Network protection (Firewall, Botnet protection)
Ransomware protection
Banking & Payments protection
Features

roger_m

Level 26
Verified
Content Creator
According to Eset Malware Research Team, when I had a chat with them in the past, they usualluy release detection after every 4 hours.
According to Bitdefender Support, they release detection every 1 hour for paid products and every 2 hours for free product.
@Umbra was not talking about how often they release new signatures, but how quickly they add signatures for new malware. Lately, Bitdefender has often been slow at adding signatures for 0 day malware.
 

MacDefender

Level 5
Verified
My order of preference at this point is:

1. F-Secure SAFE
2. ESET (but preferably NOD32)
3. Emsisoft AM
4. Bitdefender TS

Between F-Secure and ESET, they excel at different things. F-Secure has decent signatures and an excellent behavior blocker for zero-days and custom/targeted malware. If a program does something sketchy on your machine, you can expect F-Secure DeepGuard to raise a fit, regardless of whether it's similar to or a variant of an existing malware. ESET on the other hand excels at signature detection (it's arguably the most comprehensive and fastest reacting), but if anything gets past its signatures, you are basically screwed. Its HIPS (behavior blocker) component works a bit unusually and is nowhere near as reactive as other products that have such a feature. But that also makes it somewhat lighter on resources when executing unknown binaries and less susceptible to false positives, but in practice I find that F-Secure and ESET are similarly light.

These are the two that I alternate between the most. I have to say, I strongly dislike ESET's firewall. It has gotten in the way of a ton of things -- Miracast display mirroring, SONOS speaker discovery, etc. Its "troubleshooting wizard" isn't super helpful, it tells you stuff like "Svchost was blocked 100 times in the last 15 minutes" and offers to auto-fix but the auto-fix writes specific and borderline nonsensical rules. Not very intelligent. If you understand networking and are good at configuring a firewall, this isn't a problem, but for the average user, I think the firewall component is superfluous. I usually run my ESET as NOD32 even though I bought the Internet Security package. Also, ESET does some really stupid things too like a startup scan on every reboot (that thing burned 20% of my laptop's battery life before I caught it, leaving me with a dead battery on my flight home). The settings UI is simply daunting and I frequently spend days getting it tweaked correctly. It also intercepts and re-signs HTTPS by default, which is controversial (some love it, others hate it).


Emsi and BitDefender I kind of group together. They use the same set of base signatures but Emsisoft adds on top a great behavior blocker as well as a second engine that's focused on PUAs. Emsisoft does pretty well but its main weakness is that BitDefender signatures seem to be getting worse and worse over time. These days in the Malware Hub it seems to rarely detect more than 50% of zero days via signatures, while ESET can manage 90+% fairly consistently.

BitDefender's store seems super aggressive at auto-renew and requires lengthy waits for a human to process customer service requests like cancelling renewals. Emsisoft rarely goes on sale and that makes it poor bang-for-the-buck, and sometimes its behavior blocker is simply too sensitive. I've had the most false positives with Emsisoft's behavior blocker, and I've also had a lot of 2 minute long hangs from right clicking things on network mounts when Emsisoft is enabled.



Overall my preference is towards F-Secure. It simply works great out of the box and I rarely even need to go into the preferences. @harlan4096 has been running malware hub tests of F-Secure for a few months now and I am fairly happy with how it performed. ESET's static protection is much better and ESET's overall protection rate in the hub is also arguably slightly better than F-Secure, but the little bits of awkwardness around it makes it a slightly worse choice for me.

However, if you frequently want to use on-demand scanning (E.g. right clicking a folder and scanning it) rather than relying on on-execution scanning, then definitely ESET. F-Secure's AVIRA engine is okay but it catches a lot more stuff via DeepGuard and cloud protection when you actually execute something compared to just asking for it to be scanned ahead of time.


EDIT: To more directly address Emsi vs F-Secure's behavior blocker: I would say Emsi's is slightly better at blocking malware -- they are the original behavior blocker and continue to show that they care about this form of protection. But F-Secure's DeepGuard has almost no false positives these days while providing more or less similar protection. Emsisoft's has far more false positives that are addressed through whitelisting specific hashes, which results in more situations where a brand new update (or nightly build or private beta) to something like Firefox or VMWare Workstation would result in Emsisoft calling it malware-like behavior.
 
Last edited:

MacDefender

Level 5
Verified
@MacDefender, the only drawback I found during these weeks of testing in F-Secure is with some scripts whose payloads are not a PE/exe file, in this cases DeepGuard can't stop the script...
Yep I agree with this.

The way you defeat DeepGuard is you basically get a moderately well known scriptable process to do your dirty work for you.

One example in the wild is you just download a copy of Node.js and then have your ransom encrypting done via JavaScript. The interpreter is whitelisted and DeepGuard doesn't pay attention to what it's doing.

I've got another local test where I just used a build of 7zip and used the command line command to create encrypted zip files of the user's data and that also didn't seem to trigger DeepGuard.

I might prepare another MacDefender homebrew ransomware pack this week and see if the community can help us test. It does seem like it's a general flaw of behavior blockers that if you can convince them part of your payload is whitelisted, it creates a huge blind spot. I do want to see whose BB can deal with this. It shouldn't be hard to track a process tree and trace back to who exactly triggered a whitelisted thing to happen.
 

Nightwalker

Level 19
Verified
Trusted
Content Creator
Yep I agree with this.

The way you defeat DeepGuard is you basically get a moderately well known scriptable process to do your dirty work for you.

One example in the wild is you just download a copy of Node.js and then have your ransom encrypting done via JavaScript. The interpreter is whitelisted and DeepGuard doesn't pay attention to what it's doing.

I've got another local test where I just used a build of 7zip and used the command line command to create encrypted zip files of the user's data and that also didn't seem to trigger DeepGuard.

I might prepare another MacDefender homebrew ransomware pack this week and see if the community can help us test. It does seem like it's a general flaw of behavior blockers that if you can convince them part of your payload is whitelisted, it creates a huge blind spot. I do want to see whose BB can deal with this. It shouldn't be hard to track a process tree and trace back to who exactly triggered a whitelisted thing to happen.
I am looking forward for your tests, maybe you could test Kaspersky 2020, I think it has one of the few behavior blockers without this blind spot.
 

MacDefender

Level 5
Verified
I am looking forward for your tests, maybe you could test Kaspersky 2020, I think it has one of the few behavior blockers without this blind spot.
I will likely just distribute the test binaries to some testers -- I do like the transparency of having someone else other than the POC writer report the result. Please feel free to let me know offline what is the best way to get such samples to those who are willing to test.
 

low L!fe

Level 6
Verified
Recently, I used GDATA
Strong behavior blocker, Strong Firewall , Dual Engine , Keylogger protection , WLAN Security password managerand more.
I have a high-spec laptop, I don't look at performance
But from this list I will choose BitDefender Total Security then ESET then F-secure then Emsisoft.
If you are interested in performance go with ُESET or McAfee.