Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
FS Protection PC 17.9 (beta) test - AVTestGuy - 2020/10/03
Message
<blockquote data-quote="MacDefender" data-source="post: 907641" data-attributes="member: 83059"><p>Overall the results are interesting, I agree, mostly a positive performance. Looks like Avira signatures are doing a good job at static detection but still, some of the samples relied on DeepGuard heuristics/behavior blocking.</p><p></p><p>One thing that bugs me is that the on-access triggered scans are sensitive to file extensions (like something named .jpeg but not .exe), as you saw in your tests. Even if you set the setting to "all extensions", it still seems like F-Secure makes some decisions around what engines / what kind of file it is based off the extension. I see this frequently when downloading samples from Cape Sandbox where they're just named <sha1 hash>. They don't trigger any detection with an explicit All Detections scan, but the moment I rename it to an .exe, boom, it gets caught. (I assume this is because Avira cloud scanning only triggers on specific extensions)</p><p></p><p>I did have a question though about the samples you had in the video. I wasn't watching too closely, but some of the things that got through looked borderline. Like there was a KMS38 activator, which I have a local sample of. To the best of my analysis abilities, this is not malware. It does temporarily swap out a few DLLs in system32 with cracked copies in order to fake an activation but then it puts back the original. This behavior (plus it being a piracy tool) result in a lot of engines flagging it. There was also something that looked like a classic DOOM game. Were these samples truly verified to be malware? It's very much possible that you have a trojaned version that mimics the legitimate one I have, just wanted to be sure.</p></blockquote><p></p>
[QUOTE="MacDefender, post: 907641, member: 83059"] Overall the results are interesting, I agree, mostly a positive performance. Looks like Avira signatures are doing a good job at static detection but still, some of the samples relied on DeepGuard heuristics/behavior blocking. One thing that bugs me is that the on-access triggered scans are sensitive to file extensions (like something named .jpeg but not .exe), as you saw in your tests. Even if you set the setting to "all extensions", it still seems like F-Secure makes some decisions around what engines / what kind of file it is based off the extension. I see this frequently when downloading samples from Cape Sandbox where they're just named <sha1 hash>. They don't trigger any detection with an explicit All Detections scan, but the moment I rename it to an .exe, boom, it gets caught. (I assume this is because Avira cloud scanning only triggers on specific extensions) I did have a question though about the samples you had in the video. I wasn't watching too closely, but some of the things that got through looked borderline. Like there was a KMS38 activator, which I have a local sample of. To the best of my analysis abilities, this is not malware. It does temporarily swap out a few DLLs in system32 with cracked copies in order to fake an activation but then it puts back the original. This behavior (plus it being a piracy tool) result in a lot of engines flagging it. There was also something that looked like a classic DOOM game. Were these samples truly verified to be malware? It's very much possible that you have a trojaned version that mimics the legitimate one I have, just wanted to be sure. [/QUOTE]
Insert quotes…
Verification
Post reply
Top