Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
F-Secure
FS Protection PC 18.4 releases (beta)
Message
<blockquote data-quote="MacDefender" data-source="post: 997750" data-attributes="member: 83059"><p>I find DeepGuard tends to declare something suspicious often times before even one file gets encrypted. If it's a good exploit, maybe some files.</p><p></p><p>I feel <em>less</em> comfortable with the System Watching approach of "hey go do your thing, I'll roll things back later" if anything. The more time you let malware run, the more things it can do which you'll either fail to roll back or can't roll back. For example, there's no rolling back of extortionware when it steals your files before encrypting them.</p><p></p><p>Again, DeepGuard tends to be sensitive and prone to false positives if you routinely deal with unknown PE files. KSW is much less prone to false positives. It is also an extremely extremely effective behavior blocker. Not giving a preference.</p><p></p><p></p><p></p><p></p><p></p><p></p><p></p><p>(addressing these together): [USER=38832]@upnorth[/USER] I definitely admit this is purely a guess as an observer and an observation from 1-2 months ago, as I haven't recently been able to keep up with trends. I also am fairly confident of this pattern when it comes to PE malware on abuse.ch in particular. Some of the blacklisted samples I've looked at on abch were legit software that happened to trigger a sandbox heuristic and if there was any human inspection of the sandbox result, it would not have been marked as malware. </p><p></p><p>Personally, I think this technique is pretty effective against zero-days, my concern is mostly it biases some casual malware testing results. Of course the experts don't <em>just</em> get samples from Abuse.ch but a lot of the Youtube videos I'm watching, the samples do appear to basically be scraped from a public sandbox. It could make the results seem misleadingly good.</p></blockquote><p></p>
[QUOTE="MacDefender, post: 997750, member: 83059"] I find DeepGuard tends to declare something suspicious often times before even one file gets encrypted. If it's a good exploit, maybe some files. I feel [I]less[/I] comfortable with the System Watching approach of "hey go do your thing, I'll roll things back later" if anything. The more time you let malware run, the more things it can do which you'll either fail to roll back or can't roll back. For example, there's no rolling back of extortionware when it steals your files before encrypting them. Again, DeepGuard tends to be sensitive and prone to false positives if you routinely deal with unknown PE files. KSW is much less prone to false positives. It is also an extremely extremely effective behavior blocker. Not giving a preference. (addressing these together): [USER=38832]@upnorth[/USER] I definitely admit this is purely a guess as an observer and an observation from 1-2 months ago, as I haven't recently been able to keep up with trends. I also am fairly confident of this pattern when it comes to PE malware on abuse.ch in particular. Some of the blacklisted samples I've looked at on abch were legit software that happened to trigger a sandbox heuristic and if there was any human inspection of the sandbox result, it would not have been marked as malware. Personally, I think this technique is pretty effective against zero-days, my concern is mostly it biases some casual malware testing results. Of course the experts don't [I]just[/I] get samples from Abuse.ch but a lot of the Youtube videos I'm watching, the samples do appear to basically be scraped from a public sandbox. It could make the results seem misleadingly good. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
